1KRATool(1) PKI Key Recovery Authority (KRA) Tool KRATool(1)
2
6 KRATool - Command-Line utility used to export private keys from one or
7 more KRA instances (generally legacy) into a KRA instance (generally
8 modern); during the process of moving the keys, the KRATool can rewrap
9 keys, renumber keys, or both.
10
13 The syntax for rewrapping keys:
14 KRATool -kratool_config_file tool_config_file
17 -source_ldif_file original_ldif_file
18 -target_ldif_file newinstance_ldif_file
19 -log_file tool_log_file
20 [-source_pki_security_database_path nss_database
21 -source_storage_token_name token
22 -source_storage_certificate_nickname storage_certificate_nickname
23 -target_storage_certificate_file new_ASCII_storage_cert
24 [-source_pki_security_database_pwdfile password_file]]
25 [-source_kra_naming_context name -target_kra_naming_context name]
26 [-process_requests_and_key_records_only]
27 The syntax for renumbering keys:
30 KRATool -kratool_config_file tool_config_file
33 -source_ldif_file original_ldif_file
34 -target_ldif_file newinstance_ldif_file
35 -log_file tool_log_file
36 [-append_id_offset prefix_to_add | -remove_id_offset pre‐
37 fix_to_remove]
38 [-source_kra_naming_context name -target_kra_naming_context name]
39 [-process_requests_and_key_records_only]
40
43 The KRATool command provides a command-line utility used to rewrap
44 keys, renumber keys, or both. For example, some private keys (mainly
45 in older deployments) were wrapped in SHA-1, 1024-bit storage keys when
46 they were archived in the Key Recovery Authority (KRA). These algo‐
47 rithms have become less secure as processor speeds improve and algo‐
48 rithms have been broken. As a security measure, it is possible to re‐
49 wrap the private keys in a new, stronger storage key (SHA-256, 2048-bit
50 keys).
51 Note: Because the KRATool utility can export private keys from one KRA,
54 rewrap them with a new storage key, and then import them into a new
55 KRA, this tool can be used as part of a process of combining multiple
56 KRA instances into a single KRA.
57
60 The following parameters are mandatory for both rewrapping and renum‐
61 bering keys:
62 -kratool_config_file tool_config_file
65 Gives the complete path and filename of the configuration file used
66 by the tool.
67 This configuration process tells the tool how to process certain
68 parameters in the existing key records,
69 whether to apply any formatting changes (like changing the naming
70 context or adding an offset)
71 or even whether to update the modify date.
72 The configuration file is required and a default file is included
73 with the tool.
74 The file format is described in the section entitled Configuration
75 File (.cfg).
76 -source_ldif_file original_ldif_file
79 Gives the complete path and filename of the LDAP Data Interchange
80 Format (LDIF) file
81 which contains all of the key data from the old KRA.
82 -target_ldif_file newinstance_ldif_file
85 Gives the complete path and filename of the LDIF file
86 to which the tool will write all of the key data from the new KRA.
87 This file is created by the tool as it runs.
88 -log_file tool_log_file
91 Gives the path and filename of the log file to use to log the tool
92 progress and messages.
93 This file is created by the tool as it runs.
94 The following parameters are optional for both rewrapping and renumber‐
97 ing keys:
98 -source_kra_naming_context name
101 Gives the naming context of the original KRA instance,
102 the Distinguished Name (DN) element that refers to the original
103 KRA.
104 Key-related LDIF entries have a DN with the KRA instance name in
105 it,
106 such as cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra.
107 The naming context for that entry is the DN value, alpha.exam‐
108 ple.com-pki-kra.
109 These entries can be renamed, automatically, from the old KRA
110 instance naming context
111 to the new KRA instance naming context.
112 nbsp;
113 While this argument is optional, it is recommended because it means
114 that the LDIF file does not have to be edited
115 before it is imported into the target KRA.
116 If this argument is used, then the -target_kra_naming_context argu‐
117 ment must also be used.
118 -target_kra_naming_context name
121 Gives the naming context of the new KRA instance, the name that the
122 original key entries should be changed too.
123 Key-related LDIF entries have a DN with the KRA instance name in
124 it,
125 such as cn=1,ou=kra,ou=requests,dc=omega.example.com-pki-kra.
126 The naming context for that entry is the DN value, omega.exam‐
127 ple.com-pki-kra.
128 These entries can be renamed, automatically, from the old KRA
129 instance to the new KRA instance naming context.
130 nbsp;
131 While this argument is optional, it is recommended because it means
132 that the LDIF file does not have to be edited
133 before it is imported into the target KRA.
134 If this argument is used, then the -source_kra_naming_context argu‐
135 ment must also be used.
136 -process_requests_and_key_records_only
139 Removes configuration entries from the source LDIF file, leaving
140 only the key and request entries.
141 nbsp;
142 While this argument is optional, it is recommended because it means
143 that the LDIF file does not have to be edited
144 before it is imported into the target KRA.
145 The following parameters are optional for rewrapping keys:
148 -source_pki_security_database_path nss_databases
151 Gives the full path to the directory which contains the Network
152 Security Services (NSS) security databases
153 used by the old KRA instance.
154 nbsp;
155 This option is required if any other rewrap parameters are used.
156 -source_storage_token_name token
159 Gives the name of the token which stores the KRA data, like Inter‐
160 nal Key Storage Token for internal tokens
161 or a name like NHSM6000-OCS for the hardware token name.
162 nbsp;
163 This option is required if any other rewrap parameters are used.
164 -source_storage_certificate_nickname storage_certificate_nickname
167 Gives the nickname of the KRA storage certificate for the old KRA
168 instance.
169 Either this certificate will be located in the security database
170 for the old KRA instance
171 or the security database will contain a pointer to the certificate
172 in the hardware token.
173 nbsp;
174 This option is required if any other rewrap parameters are used.
175 -target_storage_certificate_file new_ASCII_storage_cert
178 Gives the path and filename of an ASCII-formatted file of the stor‐
179 age certificate for the new KRA instance.
180 The storage certificate should be exported from the new KRA's data‐
181 bases
182 and stored in an accessible location before running KRATool.
183 nbsp;
184 This option is required if any other rewrap parameters are used.
185 -source_pki_security_database_pwdfile password_file
188 Gives the path and filename to a password file that contains only
189 the password for the storage token
190 given in the -source_storage_token_name option.
191 nbsp;
192 This argument is optional when other rewrap parameters are used.
193 If this argument is not used, then the script prompts for the pass‐
194 word.
195 The following parameters are optional for renumbering keys:
198 -append_id_offset prefix_to_add
201 Gives an ID number which will be preprended to every imported key,
202 to prevent possible collisions.
203 A unique ID offset should be used for every KRA instance which has
204 keys exported using KRATool.
205 nbsp;
206 If -append_id_offset is used, then do not use the -remove_id_offset
207 option.
208 -remove_id_offset prefix_to_remove
211 Gives an ID number to remove from the beginning of every imported
212 key.
213 nbsp;
214 If -remove_id_offset is used, then do not use the -append_id_offset
215 option.
216
219 The required configuration file instructs the KRATool how to process
220 attributes in the key archival and key request entries in the LDIF
221 file. There are six types of entries:
222 · CA enrollment requests
225 · TPS enrollment requests
227 · CA key records
229 · TPS key records
231 · CA and TPS recovery requests (which are treated the same in
233 the KRA)
234 Each key and key request has an LDAP entry with attributes that are
238 specific to that kind of record. For example, for a recovery request:
239 dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra
242 objectClass: top
243 objectClass: request
244 objectClass: extensibleObject
245 requestId: 011
246 requestState: complete
247 dateOfCreate: 20110121181006Z
248 dateOfModify: 20110524094652Z
249 extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n#
250 F#9E#98#B3
251 extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1
252 yTWvwIDAQAB
253 extdata-archive: true
254 extdata-requesttype: netkeyKeygen
255 extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10
256 extdata-requestversion: 8.1.0
257 extdata-requestortype: NETKEY_RA
258 extdata-keyrecord: 1
259 extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6
260 F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79
261 extdata-userid: jmagne
262 extdata-keysize: 1024
263 extdata-updatedby: TPS-alpha.example.com-7889
264 extdata-dbstatus: UPDATED
265 extdata-cuid: 40906145C76224192D2B
266 extdata-requeststatus: complete
267 extdata-requestid: 1
268 extdata-result: 1
269 requestType: netkeyKeygen
270 cn: 1
271 creatorsName: cn=directory manager
272 modifiersName: cn=directory manager
273 createTimestamp: 20110122021010Z
274 modifyTimestamp: 20110122021010Z
275 nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000
276 Much of that information passes through the script processing
280 unchanged, so it is entered into the new, target KRA just the same.
281 However, some of those attributes can and should be edited, like the
282 Common Name (CN) and DN being changed to match the new KRA instance.
283 The fields which can safely be changed are listed in the configuration
284 file for each type of key entry. (Any attribute not listed is not
285 touched by the tool under any circumstances.)
286 If a field should be edited — meaning, the tool can update the record
289 ID number or rename the entry — then the value is set to true in the
290 configuration file. For example, this configuration updates the CN,
291 DN, ID number, last modified date, and associated entry notes for all
292 CA enrollment requests:
293 kratool.ldif.caEnrollmentRequest.cn=true
296 kratool.ldif.caEnrollmentRequest.dateOfModify=true
297 kratool.ldif.caEnrollmentRequest.dn=true
298 kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
299 kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
300 kratool.ldif.caEnrollmentRequest.requestId=true
301 If a line is set to true, then the attribute is processed in the LDIF
305 file. By default, all possible attributes are processed. Setting a
306 line to false means that the KRATool skips that attribute and passes
307 the value unchanged. For example, this leaves the last modified time
308 unchanged so that it doesn't update for when the KRATool runs:
309 kratool.ldif.caEnrollmentRequest.dateOfModify=false
312 NOTE: Key enrollments, records, and requests all have an optional notes
316 attribute where administrators can enter notes about the process. When
317 the KRATool runs, it appends a note to that attribute or adds the
318 attribute with information about the tool running, what operations were
319 performed, and a timestamp:
320 extdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetric
323 session key' with the '2048-bit RSA public key' obtained from the target storage
324 certificate + APPENDED ID offset '100000000000' + RENAMED source KRA naming con
325 text 'alpha.example.com-pki-kra' to target KRA naming context 'omega.example.com
326 -pki-kra' + PROCESSED requests and key records ONLY!
327 This information is very useful for both audit and maintenance of the
331 KRA, so it is beneficial to keep the extdata.requestNotes parameter for
332 all of the key record types set to true.
333 IMPORTANT: Every parameter line in the default kratool.cfg must be
336 present in the .cfg file used when the tool is invoked. No line can be
337 omitted and every line must have a valid value (true or false). If the
338 file is not properly formatted, the KRATool will fail.
339 The formatting of the .cfg file is the same as the formatting used in
342 the instance CS.cfg files.
343 A default .cfg file is included with the KRATool script. This file
346 (shown in the example entitled Default kratool.cfg File) can be copied
347 and edited into a custom file or edited directly and used with the
348 tool.
349 Default kratool.cfg File
352 kratool.ldif.caEnrollmentRequest._000=########################################
353 kratool.ldif.caEnrollmentRequest._001=## KRA CA Enrollment Request ##
354 kratool.ldif.caEnrollmentRequest._002=########################################
355 kratool.ldif.caEnrollmentRequest._003=## ##
356 kratool.ldif.caEnrollmentRequest._004=## NEVER allow 'KRATOOL' the ability ##
357 kratool.ldif.caEnrollmentRequest._005=## to change the CA 'naming context' ##
358 kratool.ldif.caEnrollmentRequest._006=## data in the following fields: ##
359 kratool.ldif.caEnrollmentRequest._007=## ##
360 kratool.ldif.caEnrollmentRequest._008=## extdata-auth--005ftoken;uid ##
361 kratool.ldif.caEnrollmentRequest._009=## extdata-auth--005ftoken;userid ##
362 kratool.ldif.caEnrollmentRequest._010=## extdata-updatedby ##
363 kratool.ldif.caEnrollmentRequest._011=## ##
364 kratool.ldif.caEnrollmentRequest._012=## NEVER allow 'KRATOOL' the ability ##
365 kratool.ldif.caEnrollmentRequest._013=## to change CA 'numeric' data in ##
366 kratool.ldif.caEnrollmentRequest._014=## the following fields: ##
367 kratool.ldif.caEnrollmentRequest._015=## ##
368 kratool.ldif.caEnrollmentRequest._016=## extdata-requestId ##
369 kratool.ldif.caEnrollmentRequest._017=## ##
370 kratool.ldif.caEnrollmentRequest._018=########################################
371 kratool.ldif.caEnrollmentRequest.cn=true
372 kratool.ldif.caEnrollmentRequest.dateOfModify=true
373 kratool.ldif.caEnrollmentRequest.dn=true
374 kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
375 kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
376 kratool.ldif.caEnrollmentRequest.requestId=true
377 kratool.ldif.caKeyRecord._000=#########################################
378 kratool.ldif.caKeyRecord._001=## KRA CA Key Record ##
379 kratool.ldif.caKeyRecord._002=#########################################
380 kratool.ldif.caKeyRecord._003=## ##
381 kratool.ldif.caKeyRecord._004=## NEVER allow 'KRATOOL' the ability ##
382 kratool.ldif.caKeyRecord._005=## to change the CA 'naming context' ##
383 kratool.ldif.caKeyRecord._006=## data in the following fields: ##
384 kratool.ldif.caKeyRecord._007=## ##
385 kratool.ldif.caKeyRecord._008=## archivedBy ##
386 kratool.ldif.caKeyRecord._009=## ##
387 kratool.ldif.caKeyRecord._010=#########################################
388 kratool.ldif.caKeyRecord.cn=true
389 kratool.ldif.caKeyRecord.dateOfModify=true
390 kratool.ldif.caKeyRecord.dn=true
391 kratool.ldif.caKeyRecord.privateKeyData=true
392 kratool.ldif.caKeyRecord.serialno=true
393 kratool.ldif.namingContext._000=############################################
394 kratool.ldif.namingContext._001=## KRA Naming Context Fields ##
395 kratool.ldif.namingContext._002=############################################
396 kratool.ldif.namingContext._003=## ##
397 kratool.ldif.namingContext._004=## NEVER allow 'KRATOOL' the ability to ##
398 kratool.ldif.namingContext._005=## change the CA 'naming context' data ##
399 kratool.ldif.namingContext._006=## in the following 'non-KeyRecord / ##
400 kratool.ldif.namingContext._007=## non-Request' fields (as these records ##
401 kratool.ldif.namingContext._008=## should be removed via the option to ##
402 kratool.ldif.namingContext._009=## process requests and key records only ##
403 kratool.ldif.namingContext._010=## if this is a KRA migration): ##
404 kratool.ldif.namingContext._011=## ##
405 kratool.ldif.namingContext._012=## cn ##
406 kratool.ldif.namingContext._013=## sn ##
407 kratool.ldif.namingContext._014=## uid ##
408 kratool.ldif.namingContext._015=## uniqueMember ##
409 kratool.ldif.namingContext._016=## ##
410 kratool.ldif.namingContext._017=## NEVER allow 'KRATOOL' the ability to ##
411 kratool.ldif.namingContext._018=## change the KRA 'naming context' data ##
412 kratool.ldif.namingContext._019=## in the following 'non-KeyRecord / ##
413 kratool.ldif.namingContext._020=## non-Request' fields (as these records ##
414 kratool.ldif.namingContext._021=## should be removed via the option to ##
415 kratool.ldif.namingContext._022=## process requests and key records only ##
416 kratool.ldif.namingContext._023=## if this is a KRA migration): ##
417 kratool.ldif.namingContext._024=## ##
418 kratool.ldif.namingContext._025=## dc ##
419 kratool.ldif.namingContext._026=## dn ##
420 kratool.ldif.namingContext._027=## uniqueMember ##
421 kratool.ldif.namingContext._028=## ##
422 kratool.ldif.namingContext._029=## NEVER allow 'KRATOOL' the ability to ##
423 kratool.ldif.namingContext._030=## change the TPS 'naming context' data ##
424 kratool.ldif.namingContext._031=## in the following 'non-KeyRecord / ##
425 kratool.ldif.namingContext._032=## non-Request' fields (as these records ##
426 kratool.ldif.namingContext._033=## should be removed via the option to ##
427 kratool.ldif.namingContext._034=## process requests and key records only ##
428 kratool.ldif.namingContext._035=## if this is a KRA migration): ##
429 kratool.ldif.namingContext._036=## ##
430 kratool.ldif.namingContext._037=## uid ##
431 kratool.ldif.namingContext._038=## uniqueMember ##
432 kratool.ldif.namingContext._039=## ##
433 kratool.ldif.namingContext._040=## If '-source_naming_context ##
434 kratool.ldif.namingContext._041=## original source KRA naming context' ##
435 kratool.ldif.namingContext._042=## and '-target_naming_context ##
436 kratool.ldif.namingContext._043=## renamed target KRA naming context' ##
437 kratool.ldif.namingContext._044=## options are specified, ALWAYS ##
438 kratool.ldif.namingContext._045=## require 'KRATOOL' to change the ##
439 kratool.ldif.namingContext._046=## KRA 'naming context' data in ALL of ##
440 kratool.ldif.namingContext._047=## the following fields in EACH of the ##
441 kratool.ldif.namingContext._048=## following types of records: ##
442 kratool.ldif.namingContext._049=## ##
443 kratool.ldif.namingContext._050=## caEnrollmentRequest: ##
444 kratool.ldif.namingContext._051=## ##
445 kratool.ldif.namingContext._052=## dn ##
446 kratool.ldif.namingContext._053=## extdata-auth--005ftoken;user ##
447 kratool.ldif.namingContext._054=## extdata-auth--005ftoken;userdn ##
448 kratool.ldif.namingContext._055=## ##
449 kratool.ldif.namingContext._056=## caKeyRecord: ##
450 kratool.ldif.namingContext._057=## ##
451 kratool.ldif.namingContext._058=## dn ##
452 kratool.ldif.namingContext._059=## ##
453 kratool.ldif.namingContext._060=## recoveryRequest: ##
454 kratool.ldif.namingContext._061=## ##
455 kratool.ldif.namingContext._062=## dn ##
456 kratool.ldif.namingContext._063=## ##
457 kratool.ldif.namingContext._064=## tpsKeyRecord: ##
458 kratool.ldif.namingContext._065=## ##
459 kratool.ldif.namingContext._066=## dn ##
460 kratool.ldif.namingContext._067=## ##
461 kratool.ldif.namingContext._068=## tpsNetkeyKeygenRequest: ##
462 kratool.ldif.namingContext._069=## ##
463 kratool.ldif.namingContext._070=## dn ##
464 kratool.ldif.namingContext._071=## ##
465 kratool.ldif.namingContext._072=############################################
466 kratool.ldif.recoveryRequest._000=#####################################
467 kratool.ldif.recoveryRequest._001=## KRA CA / TPS Recovery Request ##
468 kratool.ldif.recoveryRequest._002=#####################################
469 kratool.ldif.recoveryRequest.cn=true
470 kratool.ldif.recoveryRequest.dateOfModify=true
471 kratool.ldif.recoveryRequest.dn=true
472 kratool.ldif.recoveryRequest.extdata.requestId=true
473 kratool.ldif.recoveryRequest.extdata.requestNotes=true
474 kratool.ldif.recoveryRequest.extdata.serialnumber=true
475 kratool.ldif.recoveryRequest.requestId=true
476 kratool.ldif.tpsKeyRecord._000=#########################################
477 kratool.ldif.tpsKeyRecord._001=## KRA TPS Key Record ##
478 kratool.ldif.tpsKeyRecord._002=#########################################
479 kratool.ldif.tpsKeyRecord._003=## ##
480 kratool.ldif.tpsKeyRecord._004=## NEVER allow 'KRATOOL' the ability ##
481 kratool.ldif.tpsKeyRecord._005=## to change the TPS 'naming context' ##
482 kratool.ldif.tpsKeyRecord._006=## data in the following fields: ##
483 kratool.ldif.tpsKeyRecord._007=## ##
484 kratool.ldif.tpsKeyRecord._008=## archivedBy ##
485 kratool.ldif.tpsKeyRecord._009=## ##
486 kratool.ldif.tpsKeyRecord._010=#########################################
487 kratool.ldif.tpsKeyRecord.cn=true
488 kratool.ldif.tpsKeyRecord.dateOfModify=true
489 kratool.ldif.tpsKeyRecord.dn=true
490 kratool.ldif.tpsKeyRecord.privateKeyData=true
491 kratool.ldif.tpsKeyRecord.serialno=true
492 kratool.ldif.tpsNetkeyKeygenRequest._000=#####################################
493 kratool.ldif.tpsNetkeyKeygenRequest._001=## KRA TPS Netkey Keygen Request ##
494 kratool.ldif.tpsNetkeyKeygenRequest._002=#####################################
495 kratool.ldif.tpsNetkeyKeygenRequest._003=## ##
496 kratool.ldif.tpsNetkeyKeygenRequest._004=## NEVER allow 'KRATOOL' the ##
497 kratool.ldif.tpsNetkeyKeygenRequest._005=## ability to change the ##
498 kratool.ldif.tpsNetkeyKeygenRequest._006=## TPS 'naming context' data in ##
499 kratool.ldif.tpsNetkeyKeygenRequest._007=## the following fields: ##
500 kratool.ldif.tpsNetkeyKeygenRequest._008=## ##
501 kratool.ldif.tpsNetkeyKeygenRequest._009=## extdata-updatedby ##
502 kratool.ldif.tpsNetkeyKeygenRequest._010=## ##
503 kratool.ldif.tpsNetkeyKeygenRequest._011=#####################################
504 kratool.ldif.tpsNetkeyKeygenRequest.cn=true
505 kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true
506 kratool.ldif.tpsNetkeyKeygenRequest.dn=true
507 kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true
508 kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true
509 kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true
510 kratool.ldif.tpsNetkeyKeygenRequest.requestId=true
511
515 The KRATool performs two operations: it can rewrap keys with a new pri‐
516 vate key, and it can renumber attributes in the LDIF file entries for
517 key records, including enrollments and recovery requests. At least one
518 operation (rewrap or renumber) must be performed and both can be per‐
519 formed in a single invocation.
520 Rewrapping Keys
523 When rewrapping keys, the tool needs to be able to access the original
524 NSS databases for the source KRA and its storage certificate to unwrap
525 the keys, as well as the storage certificate for the new KRA, which is
526 used to rewrap the keys.
527 $ KRATool -kratool_config_file KRATool.cfg \
530 -source_ldif_file originalKRA.ldif \
531 -target_ldif_file newKRA.ldif \
532 -log_file kratool.log \
533 -source_pki_security_database_path nssdb \
534 -source_storage_token_name "Internal Key Storage Token" \
535 -source_storage_certificate_nickname "storageCert cert-pki-kra" \
536 -target_storage_certificate_file omega.crt
537 Renumbering Keys
541 When multiple KRA instances are being merged into a single instance, it
542 is important to make sure that no key or request records have conflict‐
543 ing CNs, DNs, serial numbers, or request ID numbers. These values can
544 be processed to append a new, larger number to the existing values.
545 For the CN, the new number is the addition of the original CN plus the
548 appended number. For example, if the CN is 4 and the append number is
549 1000000, the new CN is 1000004.
550 For serial numbers and request IDs, the value is always a digit count
553 plus the value. So a CN of 4 has a serial number of 014, or one digit
554 and the CN value. If the append number is 1000000, the new serial num‐
555 ber is 071000004, for seven digits and then the sum of the append num‐
556 ber (1000000) and the original value (4).
557 $ KRATool -kratool_config_file KRATool.cfg \
560 -source_ldif_file originalKRA.ldif \
561 -target_ldif_file newKRA.ldif \
562 -log_file kratool.log \
563 -append_id_offset 100000000000
564 Restoring the Original Numbering
568 If a number has been appended to key entries, as in the example enti‐
569 tled Renumbering Keys, that number can also be removed. Along with
570 updating the CN, it also reconstructs any associated numbers, like
571 serial numbers and request ID numbers. Undoing a renumbering action
572 may be necessary if the original number wasn't large enough to prevent
573 conflicts or as part of testing a migration or KRA consolidation
574 process.
575 $ KRATool -kratool_config_file KRATool.cfg \
578 -source_ldif_file originalKRA.ldif \
579 -target_ldif_file newKRA.ldif \
580 -log_file kratool.log \
581 -remove_id_offset 100000000000
582 Renumbering and Rewrapping in a Single Command
586 Rewrapping and renumbering operations can be performed in the same
587 invocation.
588 $ KRATool -kratool_config_file KRATool.cfg \
591 -source_ldif_file originalKRA.ldif \
592 -target_ldif_file newKRA.ldif \
593 -log_file kratool.log \
594 -source_pki_security_database_path nssdb \
595 -source_storage_token_name "Internal Key Storage Token" \
596 -source_storage_certificate_nickname "storageCert cert-pki-kra" \
597 -target_storage_certificate_file omega.crt \
598 -append_id_offset 100000000000
599
603 pki(1)
604
607 Matthew Harmsen lt;mharmsen@redhat.comgt;.
608
611 Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU Gen‐
612 eral Public License, version 2 (GPLv2). A copy of this license is
613 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
614PKI July 18, 2016 KRATool(1)