Red Hat SummitChapter 22. Migrating From Certificate System 8 to 9
Red Hat Certificate System does not support in-place upgrades from an older major version, such as from 8.2 to 9. For major version upgrades, you must migrate the old instance. Additionally, you can use the same procedure to create a copy of your production environment for testing and debugging purposes.
Important
Before migrating, read the Red Hat Certificate System Release Notes.
A Certificate System migration requires the following steps:
22.1. Exporting Data from the Previous System
Before you set up the new Certificate System instance, export the data of the current certificate authority (CA).
On the host that runs the Certificate System instance:
- Create a directory for the files to export. For example:
mkdir -m 770 /tmp/cs_bak/
# mkdir -m 770 /tmp/cs_bak/Copy to Clipboard Copied! - Export the signing certificate and key:
- When using a hardware security module (HSM):
- List the CA signing certificate nickname. For example:
grep ca.cert.signing.nickname /etc/pki/instance_name/ca/CS.cfg
# grep ca.cert.signing.nickname /etc/pki/instance_name/ca/CS.cfg ca.signing.nickname=<nickname>Copy to Clipboard Copied! - Export the CA certificate:
certutil -L -d /var/lib/pki/instance_name/alias/ \ -n <nickname> \ -a > /tmp/cs_bak/ca_signing.crt# certutil -L -d /var/lib/pki/instance_name/alias/ \ -n <nickname> \ -a > /tmp/cs_bak/ca_signing.crtCopy to Clipboard Copied! The key is stored in the HSM and must be available to the new instance.
- When not using an HSM:
- In the configuration file, find the password that protects the CA Network Security Service (NSS) database, and write it to a file:
grep "internal=" /var/lib/pki/instance_name/conf/password.conf | \ awk -F= '{print $2;}' > /tmp/cs_bak/nss_password.txt# grep "internal=" /var/lib/pki/instance_name/conf/password.conf | \ awk -F= '{print $2;}' > /tmp/cs_bak/nss_password.txtCopy to Clipboard Copied! - Create a file with a password that will be used in the next step. For example:
echo Secret123 > /tmp/cs_bak/pkcs12_password.txt
# echo Secret123 > /tmp/cs_bak/pkcs12_password.txtCopy to Clipboard Copied! - Export the signing certificate and key:
PKCS12Export -d /var/lib/instance_name/alias/ \ -p /tmp/cs_bak/nss_password.txt \ -w /tmp/cs_bak/pkcs12_password.txt \ -o /tmp/cs_bak/ca.p12# PKCS12Export -d /var/lib/instance_name/alias/ \ -p /tmp/cs_bak/nss_password.txt \ -w /tmp/cs_bak/pkcs12_password.txt \ -o /tmp/cs_bak/ca.p12Copy to Clipboard Copied!
- Export the certificate signing request (CSR):
echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > /tmp/cs_bak/ca_signing.csr sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" /etc/pki/instance_name/ca/CS.cfg \ >> /tmp/cs_bak/ca_signing.csr echo "-----END NEW CERTIFICATE REQUEST-----" >> /tmp/cs_bak/ca_signing.csr# echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > /tmp/cs_bak/ca_signing.csr # sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" /etc/pki/instance_name/ca/CS.cfg \ >> /tmp/cs_bak/ca_signing.csr # echo "-----END NEW CERTIFICATE REQUEST-----" >> /tmp/cs_bak/ca_signing.csrCopy to Clipboard Copied! - If the CA is an intermediate CA, extract the root CA or certificate chain from the NSS database:
certutil -L -d /var/lib/pki/instance_name/alias/ -n "root_CA_nickname" \ -a > /tmp/cs_bak/ca_rootca_signing.crt# certutil -L -d /var/lib/pki/instance_name/alias/ -n "root_CA_nickname" \ -a > /tmp/cs_bak/ca_rootca_signing.crtCopy to Clipboard Copied! - Copy the directory that contains the exported files to the new server. For example:
scp -r /tmp/cs_bak/ new_server:/tmp/
# scp -r /tmp/cs_bak/ new_server:/tmp/Copy to Clipboard Copied! - Find the name of the CA database in the Directory Server:
grep internaldb.database /etc/pki/instance_name/ca/CS.cfg \ internaldb.database=<CS_database_name>
# grep internaldb.database /etc/pki/instance_name/ca/CS.cfg \ internaldb.database=<CS_database_name>Copy to Clipboard Copied! This name is needed to export the database later.
On the host that runs the Directory Server instance:
- Create a directory for the files to export, and grant write permissions to the Directory Server user. For example:
mkdir -m 770 /tmp/ds_bak/ chown root:dirsrv /tmp/ds_bak/
# mkdir -m 770 /tmp/ds_bak/ # chown root:dirsrv /tmp/ds_bak/Copy to Clipboard Copied! Note
The db2ldif command runs under the Directory Server user (e.g. dirsrv). Therefore the destination directory must be writable by this user. - Export the Directory Server database:
db2ldif -Z<DS_instance_name> -n <CS_database_name> -a /tmp/ds_bak/old_ca.ldif
# db2ldif -Z<DS_instance_name> -n <CS_database_name> -a /tmp/ds_bak/old_ca.ldifCopy to Clipboard Copied! In the example:DS_instance_nameis the Directory Server instance name used by the CA. For example:slapd-host_name.CS_database_nameis the name of the CA database obtained earlier.
- Copy the directory that contains the exported files to the new server. For example:
scp -r /tmp/ds_bak/ new_server:/tmp/
# scp -r /tmp/ds_bak/ new_server:/tmp/Copy to Clipboard Copied!
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}