Accueiil
Products
Red Hat Certificate System
9
Planning, Installation, and Deployment Guide
Chapter 23. Migrating an OpenSSL CA to Certificate System

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 23. Migrating an OpenSSL CA to Certificate System

Red Hat Certificate System provides a mechanism to migrate an existing OpenSSL Certificate Authority (CA) to a new Certificate System CA that uses the existing CA signing key.

Note

The migration of Certificate System 8 to 9 is a special implementation of this procedure and is described in Chapter 22, Migrating From Certificate System 8 to 9.

Depending on your environment, see:

23.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSM
Copier lien

Create a file with a password that will be used in the next step. For example:
```
echo password > ~/password.txt
```
```
# echo password > ~/password.txt
```
Copy to Clipboard Toggle word wrap
Import the OpenSSL CA certificate and key into a PKCS #12 file using the openssl pkcs12 command. Use the following options:
- -export instructs the openssl command to export the data.
- -in path_to_ca_certificate sets the path to the OpenSSL CA certificate.
- -inkey path_to_CA_signing_key sets the path to the OpenSSL CA signing key.
- -out path_to_PKCS_#12_file sets the path to the PKCS #12 file in which the output is stored.
- -name "friendly_name" sets the friendly name of the certificate and key.
- -passout file:path_to_password_file sets the path to the text file that contains the password used to encrypt the PKCS #12 file.
For example, to export the OpenSSL CA certificate and key into the ~/ca.p12 file:
```
openssl pkcs12 -export -in ~/ca.crt -inkey ~/ca.key -out ~/ca.p12 \
     -name "CA Certificate" -passout file:~/password.txt
```
```
# openssl pkcs12 -export -in ~/ca.crt -inkey ~/ca.key -out ~/ca.p12 \
     -name "CA Certificate" -passout file:~/password.txt
```
Copy to Clipboard Toggle word wrap
Initialize a password protected Network Security Services (NSS) database for the Public Key Infrastructure (PKI) command-line interface. For example:
```
pki -c password client-init
```
```
# pki -c password client-init
```
Copy to Clipboard Toggle word wrap

Set the CTu,Cu,Cu trust flags for the CA certificate with the CA Certificate nick name stored in the ~/ca.12 file using the password in the ~/password.txt file:

pki pkcs12-cert-mod --pkcs12-file ~/ca.p12 "CA Certificate" \
     --pkcs12-password-file ~/password.txt --trust-flags "CTu,Cu,Cu"

# pki pkcs12-cert-mod --pkcs12-file ~/ca.p12 "CA Certificate" \
     --pkcs12-password-file ~/password.txt --trust-flags "CTu,Cu,Cu"

Copy to Clipboard

Toggle word wrap

Important

Enter the trust flags without spaces.

Display the CA certificate stored in the ~/ca.p12 file:

pki pkcs12-cert-find --pkcs12-file ~/ca.p12 \
     --pkcs12-password-file ~/password.txt

# pki pkcs12-cert-find --pkcs12-file ~/ca.p12 \
     --pkcs12-password-file ~/password.txt
---------------
1 entries found
--------------
  Certificate ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a
  Serial Number: 0xe3f2b350edcd875c
  Nickname: CA Certificate
  Subject DN: O=Example,CN=CA Certificate
  Issuer DN: O=Example,CN=CA Certificate
  Trust Flags: CTu,Cu,Cu
  Has Key: true

Copy to Clipboard

Toggle word wrap

Display the CA signing key stored in the ~/ca.p12 file:

pki pkcs12-key-find --pkcs12-file ~/ca.p12 \
     --pkcs12-password-file ~/password.txt

# pki pkcs12-key-find --pkcs12-file ~/ca.p12 \
     --pkcs12-password-file ~/password.txt
---------------
1 entries found
---------------
  Key ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a
  Subject DN: CA Certificate
  Algorithm: RSA

Copy to Clipboard

Toggle word wrap

Copy the following files to the new Certificate System host:
- OpenSSL CA Signing Certificate Request (CSR)
- OpenSSL CA certificate chain (if available)
- PKCS #12 file that contains the OpenSSL CA signing certificate and key
- Password file used to protect the PKCS #12 file
For example, to copy the files using secure copy:
```
scp ~/ca.csr ~/certificate_chain.p7b ~/ca.p12 ~/password.txt new_server:~/
```
```
# scp ~/ca.csr ~/certificate_chain.p7b ~/ca.p12 ~/password.txt new_server:~/
```
Copy to Clipboard Toggle word wrap
Set up the CA on the new host. For details, see Section 22.2, “Setting up the CA on the New Host”.

After the migration, you can deactivate the OpenSSL CA or run it in read-only mode, where it only responds to Online Certificate Status Protocol (OCSP) requests.

Retour au début

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 23. Migrating an OpenSSL CA to Certificate System

23.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSM
Copier lien

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Rendre l’open source plus inclusif

À propos de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 23. Migrating an OpenSSL CA to Certificate System

23.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSMCopier lienLien copié sur presse-papiers!

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Rendre l’open source plus inclusif

À propos de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

23.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSM
Copier lien