Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 22. Migrating From Certificate System 8 to 9

Red Hat Certificate System does not support in-place upgrades from an older major version, such as from 8.2 to 9. For major version upgrades, you must migrate the old instance. Additionally, you can use the same procedure to create a copy of your production environment for testing and debugging purposes.

Important

Before migrating, read the Red Hat Certificate System Release Notes.
A Certificate System migration requires the following steps:
  1. Section 22.1, “Exporting Data from the Previous System”
  2. Section 22.2, “Setting up the CA on the New Host”
  3. Section 22.3, “Importing the Data into the New CA”
  4. Section 22.4, “Reassigning Users to Default Groups”

22.1. Exporting Data from the Previous System
Copier lien

Before you set up the new Certificate System instance, export the data of the current certificate authority (CA).
On the host that runs the Certificate System instance:
  1. Create a directory for the files to export. For example: 
    # mkdir -m 770 /tmp/cs_bak/
    Copy to Clipboard Toggle word wrap
  2. Export the signing certificate and key:
    • When using a hardware security module (HSM):
      1. List the CA signing certificate nickname. For example: 
        # grep ca.cert.signing.nickname /etc/pki/instance_name/ca/CS.cfg
ca.signing.nickname=<nickname>
        Copy to Clipboard Toggle word wrap
      2. Export the CA certificate: 
        # certutil -L -d /var/lib/pki/instance_name/alias/ \
     -n <nickname> \
     -a > /tmp/cs_bak/ca_signing.crt
        Copy to Clipboard Toggle word wrap
        The key is stored in the HSM and must be available to the new instance.
    • When not using an HSM:
      1. In the configuration file, find the password that protects the CA Network Security Service (NSS) database, and write it to a file: 
        # grep "internal=" /var/lib/pki/instance_name/conf/password.conf | \
     awk -F= '{print $2;}' > /tmp/cs_bak/nss_password.txt
        Copy to Clipboard Toggle word wrap
      2. Create a file with a password that will be used in the next step. For example: 
        # echo Secret123 > /tmp/cs_bak/pkcs12_password.txt
        Copy to Clipboard Toggle word wrap
      3. Export the signing certificate and key: 
        # PKCS12Export -d /var/lib/instance_name/alias/ \
     -p /tmp/cs_bak/nss_password.txt \
     -w /tmp/cs_bak/pkcs12_password.txt \
     -o /tmp/cs_bak/ca.p12
        Copy to Clipboard Toggle word wrap
  3. Export the certificate signing request (CSR): 
    # echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > /tmp/cs_bak/ca_signing.csr

# sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" /etc/pki/instance_name/ca/CS.cfg \
     >> /tmp/cs_bak/ca_signing.csr

# echo "-----END NEW CERTIFICATE REQUEST-----" >> /tmp/cs_bak/ca_signing.csr
    Copy to Clipboard Toggle word wrap
  4. If the CA is an intermediate CA, extract the root CA or certificate chain from the NSS database: 
    # certutil -L -d /var/lib/pki/instance_name/alias/ -n "root_CA_nickname" \
     -a > /tmp/cs_bak/ca_rootca_signing.crt
    Copy to Clipboard Toggle word wrap
  5. Copy the directory that contains the exported files to the new server. For example: 
    # scp -r /tmp/cs_bak/ new_server:/tmp/
    Copy to Clipboard Toggle word wrap
  6. Find the name of the CA database in the Directory Server: 
    # grep internaldb.database /etc/pki/instance_name/ca/CS.cfg \
			internaldb.database=<CS_database_name>
    Copy to Clipboard Toggle word wrap
    This name is needed to export the database later.
On the host that runs the Directory Server instance:
  1. Create a directory for the files to export, and grant write permissions to the Directory Server user. For example: 
    # mkdir -m 770 /tmp/ds_bak/
# chown root:dirsrv /tmp/ds_bak/
    Copy to Clipboard Toggle word wrap

    Note

    The db2ldif command runs under the Directory Server user (e.g. dirsrv). Therefore the destination directory must be writable by this user.
  2. Export the Directory Server database: 
    # db2ldif -Z<DS_instance_name> -n <CS_database_name> -a /tmp/ds_bak/old_ca.ldif
    Copy to Clipboard Toggle word wrap
    In the example:
    • DS_instance_name is the Directory Server instance name used by the CA. For example: slapd-host_name.
    • CS_database_name is the name of the CA database obtained earlier.
  3. Copy the directory that contains the exported files to the new server. For example: 
    # scp -r /tmp/ds_bak/ new_server:/tmp/
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat