Migrating RSA Keon CA with nCipher

Introduction

This document describes how to migrate from another CA to EJBCA. In order to demonstrate specific steps and help you reproduce these steps, one specific CA was chosen, the RSA Keon CA. The general idea how to migrate is the same for other CA implementations.

Migration from another CA to EJBCA consists of the following steps:

  • Migration of the CAs ́ signing keys on nCipher HSM, allowing the keys can be used by EJBCA

  • Import of the CA within EJBCA

  • Import of the user certificates in EJBCA

This document outlines how to migrate a simple installation of KCA to EJBCA and it is recommended to first do a test migration to be familiar with the process.

For more information on the migration steps, see Migration and Import.

Keon CA

A setup of KCA on a target environment:

  • Windows Server 2003

  • KCA 6.5

  • One root CA – TestKCARootCA

  • One sub CA – TestKCASubCA

  • Signing keys for the CAs on nCipher nShield PCI card

  • 5 users issued by TestKCASubCA

After the installation of this environment, we make a backup of nCipher security world, CA- certificates and user certificates.

EJBCA

A target environment for EJBCA is chosen:

  • Utuntu Linux 7.04 AMD64

  • JBoss 4.2.0, MySQL 5.0

  • EJBCA 3.5 or later; 3.9 recommended

  • One root CA – TestKCARootCA

  • One sub CA – TestKCASubCA

  • Signing keys for the CAs on nCipher nShield PCI kort

  • 5 users issued by TestKCASubCA