export all user/server/vpn certificates from ejbca (migration)

Help
cyberuser
2014-03-11
2014-03-18
  • cyberuser
    cyberuser
    2014-03-11

    Hi@all,

    do anybody know a way to export all user certificates from ejbca 4.0.16. I want to migrate to ejbca 6.0.4. I'm ready with a new installation of ejbca 6.0.4. Now I want to migrate all data from ejbca 4.0.16 to ejbca 6.0.4.

    I'm able to export all CAs (see command line --> ejbca.sh ca exportca). Moreover I want to export the user/server/vpn certificates and import them in the new ejbca instance.
    Does anyone know an way respectively is it possible?

     
  • cyberuser
    cyberuser
    2014-03-17

    Can anyone help me?

    I've already done the following steps:

    1.exported all root and sub cas from ejbca 4.0.16 and imported them in ejbca 6.0.4 - no problem
    2.exported all certificate and end entity profiles and imported them in ejbca 6.0.4 - no problem

    Now I want to export all user certificates (with certificate history) and import them in the new version. I know that I have to export the mysql database entries but I don't know exactly which data should not be exported (tomcat, superadmin,...). In addition there are small changes in the database structure.
    Which tables and contents should be exported and which not.

    Can anyone help me?

     
  • Perhaps a silly question, but why didn't you just upgrade instead?

     
  • cyberuser
    cyberuser
    2014-03-17

    I decided to do a new installation because I want to update different componentes (new vm with new version of os, new version of jdk, new version of jboss, new version of ejbca for ca and ocsp responder).

    I think it is a good idea to do a clean new installation to get rid of the old and not needed stuff. Moreover I can test the new environment with the old data before I switch to productive system.

     
  • cyberuser
    cyberuser
    2014-03-17

    I was able to export all user certs with the help of mysqldump:

    mysqldump -u ejbca -p ejbca UserData --no-create-db --no-create-info --insert-ignore > UserData.sql
    
    mysqldump -u ejbca -p ejbca CertificateData --where="issuerDN NOT LIKE 'your initial ca'" --no-create-db --no-create-info --insert-ignore > CertificateData.sql
    

    Then you have to import these files in your new database tables e.g.

    mysql -u ejbca -p ejbca < UserData.sql
    

    I don't know if that is the right way. Does anyone has an advice?

    With the HistoryData I had no success:

    mysqldump -u ejbca-user -p ejbcadb CertReqHistoryData --where="issuerDN NOT LIKE 'your initial ca'" --no-create-db --no-create-info --insert-ignore > CertReqHistoryData.sql
    

    Does anyone has an idea?

     
  • cyberuser
    cyberuser
    2014-03-18

    @Tomas,

    am I doing something wrong or should it be done another way?

     
  • I honestly don't know really. Haven't had time to look closer into your posts. It is too advanced and takes too much time for me to look into detail. I just don't have that time at the moment.

    UserData and certificate data certainly are the most important tables. You can look into how the CLI commands for importcertificate soes thinks, but that requires some digging in the code for you.

    Sorry,
    Tomas