27.4. Usage
This procedure rewraps the keys stored in one Certificate System 7.1 KRA and stores them in a Certificate System 8.1 KRA. This is not the only use case; the tool can be run on the same instance as both the source and target, to rewrap existing keys, or it can be used simply to copy keys from multiple KRA instances into a single instance without rewrapping the keys at all.
- Prepare the new KRA instance and machine.
- Install and configure a new Red Hat Certificate System 8.1 KRA instance.
Important
Set the storage key size and type to 2048-bit and RSA. - Stop the new KRA.
[root@newkra ~]# service pki-kra stop
- Create a data directory to store the exported key data from the old KRA.
[root@newkra ~]# mkdir -p /export/pki
- Export the public storage certificate for the new KRA to a flat file in the new data directory:
[root@newkra ~]# certutil -L -d /var/lib/pki-kra/alias/ -n "storageCert cert-pki-kra" -a > /export/pki/newKRA.cert
- Stop the Directory Server instance for the new KRA, if it is on the same machine.
>[root@newkra ~]# service dirsrv stop
- Export the configuration information for the new KRA.
[root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/db2ldif -n newkra.example.com-pki-kra -a /export/pki/newkra.ldifImportant
Be sure that the LDIF file contains a single, blank line at the end.
- Export and prepare the key data from the old KRA instance.
- Create a data directory to store the exported key data.
[root@oldkra ~]# mkdir -p /export/pki
- Export the information from the original KRA instance using a tool like
[root@oldkra ~]# db2ldif. This is done as part of the 7.1 to 8.1 migration steps in the KRA chapter of the Migration Guide. - Copy the LDIF for the exported data into the data directory, and update the data file for change the archiving CA.
[root@oldkra ~]# cp /path/to/rhcs80-pki-kra.ldif /export/pki [root@oldkra ~]# sed -i -e "s/^archivedBy: kra_trusted_agent/archivedBy: CA/g" alpha.ldif
- Stop all of the Certificate System servers on the machine.
- Copy the NSS databases to the data directory. For example, for a 7.1 KRA:
[root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-cert8.db /export/pki/cert8.db [root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-key3.db /export/pki/key3.db [root@oldkra ~]# cp -p /opt/redhat-cs/alias/secmod.db /export/pki/secmod.db
- Copy the
KRAToolto the machine with the old KRA instance and pull in all its dependencies. For 7.x systems, include thensutil.jarandcmsutil.jarfiles (these files are already available in 8.0 systems). For example:[root@oldkra ~]# mkdir -p /usr/share/pki/java-tools [root@oldkra ~]# mkdir -p /usr/share/java/pki [root@oldkra ~]# cd /usr/share/java/pki [root@oldkra ~]# sftp root@newkra.example.com sftp> cd /usr/share/java/pki sftp> get nsutil.jar sftp> get cmsutil.jar sftp> get cstools.jar sftp> lcd /usr/share/pki/java-tools sftp> cd /usr/share/pki/java-tools sftp> get KRATool.cfg sftp> lcd /usr/bin sftp> cd /usr/bin sftp> get KRATool sftp> quit
Important
The machine must have Java 1.6.0 installed. - For 7.1 KRAs. Create a symlink from the older
ldapjdk.jarfile to the new 8.x location.[root@oldkra ~]# ln -s /opt/redhat-cs/bin/cert/jars/ldapjdk.jar /usr/share/java/ldapjdk.jar
- Open the data directory.
[root@oldkra ~]#cd /export/pki
- Copy the file with the public storage key from the new KRA machine to the old KRA machine. For example:
[root@oldkra ~]# sftp root@newkra.example.com sftp> cd /export/pki sftp> get newKRA.cert sftp> quit
- If necessary, edit the default
KRATool.cfgfile to use with the tool. The default file can also be used without changes. - Run the
KRATool; all of these parameters should be on a single line.[root@oldkra ~]# KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file /export/pki/rhcs80-pki-kra.ldif -target_ldif_file /export/pki/old2newKRA.ldif -log_file /export/pki/kratool.log -source_pki_security_database_path /export/pki -source_storage_token_name 'Internal Key Storage Token' -source_storage_certificate_nickname 'storageCert cert-pki-kra' -target_storage_certificate_file /export/pki/newKRA.cert -append_id_offset 100000000000 -source_kra_naming_context "oldkra.example.com-pki-kra" -target_kra_naming_context "newkra.example.com-pki-kra" -process_requests_and_key_records_onlyThe command prompts for the password to the token stored in the original databases.When it is done, the command creates the file specified in-target_ldif_file,old2newKRA.ldif. - Copy the LDIF file over to the new KRA machine. For example:
[root@oldkra ~]# scp /export/pki/old2newKRA.ldif root@newkra.example.com:/export/pki
Important
Be sure that the LDIF file contains a single, blank line at the end.
- If multiple KRA instances are being merged, then their data can be merged into a single import operation. Perform step 2 for every KRA which will be merged.Specify unique values for the
-target_ldif_fileto create separate LDIF files, and specify unique-append_id_offsetvalues so that there are no collisions when the LDIF files are concatenated. - On the new KRA machine, import the LDIF file with the old key data.
- Open the data directory.
[root@newkra ~]# cd /export/pki
- Concatenate the new KRA configuration LDIF file and every exported LDIF for the old KRA instances. For example:
[root@newkra ~]# cat newkra.ldif old2newKRA.ldif > combined.ldif
- Import the LDIF into the Directory Server database for the Certificate System 8.1 KRA instance.
[root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/ldif2db -n newkra.example.com-pki-kra -i /export/pki/combined.ldif - Start the Directory Server instance for the new KRA.
[root@newkra ~]# service dirsrv start
- Start the new KRA.
[root@newkra ~]# service pki-kra start
