此内容没有您所选择的语言版本。
Chapter 23. Migrating an OpenSSL CA to Certificate System
Red Hat Certificate System provides a mechanism to migrate an existing OpenSSL Certificate Authority (CA) to a new Certificate System CA that uses the existing CA signing key.
Note
The migration of Certificate System 8 to 9 is a special implementation of this procedure and is described in Chapter 22, Migrating From Certificate System 8 to 9.
Depending on your environment, see:
23.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSM
- Create a file with a password that will be used in the next step. For example:
# echo password > ~/password.txt
- Import the OpenSSL CA certificate and key into a PKCS #12 file using the
openssl pkcs12
command. Use the following options:-export
instructs theopenssl
command to export the data.-in path_to_ca_certificate
sets the path to the OpenSSL CA certificate.-inkey path_to_CA_signing_key
sets the path to the OpenSSL CA signing key.-out path_to_PKCS_#12_file
sets the path to the PKCS #12 file in which the output is stored.-name "friendly_name"
sets the friendly name of the certificate and key.-passout file:path_to_password_file
sets the path to the text file that contains the password used to encrypt the PKCS #12 file.
For example, to export the OpenSSL CA certificate and key into the~/ca.p12
file:# openssl pkcs12 -export -in ~/ca.crt -inkey ~/ca.key -out ~/ca.p12 \ -name "CA Certificate" -passout file:~/password.txt
- Initialize a password protected Network Security Services (NSS) database for the Public Key Infrastructure (PKI) command-line interface. For example:
# pki -c password client-init
- Set the
CTu,Cu,Cu
trust flags for the CA certificate with theCA Certificate
nick name stored in the~/ca.12
file using the password in the~/password.txt
file:# pki pkcs12-cert-mod --pkcs12-file ~/ca.p12 "CA Certificate" \ --pkcs12-password-file ~/password.txt --trust-flags "CTu,Cu,Cu"
Important
Enter the trust flags without spaces. - Display the CA certificate stored in the
~/ca.p12
file:# pki pkcs12-cert-find --pkcs12-file ~/ca.p12 \ --pkcs12-password-file ~/password.txt --------------- 1 entries found -------------- Certificate ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Serial Number: 0xe3f2b350edcd875c Nickname: CA Certificate Subject DN: O=Example,CN=CA Certificate Issuer DN: O=Example,CN=CA Certificate Trust Flags: CTu,Cu,Cu Has Key: true
- Display the CA signing key stored in the
~/ca.p12
file:# pki pkcs12-key-find --pkcs12-file ~/ca.p12 \ --pkcs12-password-file ~/password.txt --------------- 1 entries found --------------- Key ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Subject DN: CA Certificate Algorithm: RSA
- Copy the following files to the new Certificate System host:
- OpenSSL CA Signing Certificate Request (CSR)
- OpenSSL CA certificate chain (if available)
- PKCS #12 file that contains the OpenSSL CA signing certificate and key
- Password file used to protect the PKCS #12 file
For example, to copy the files using secure copy:# scp ~/ca.csr ~/certificate_chain.p7b ~/ca.p12 ~/password.txt new_server:~/
- Set up the CA on the new host. For details, see Section 22.2, “Setting up the CA on the New Host”.
After the migration, you can deactivate the OpenSSL CA or run it in read-only mode, where it only responds to Online Certificate Status Protocol (OCSP) requests.