export all user/server/vpn certificates from ejbca (migration)

  • cyberuser

    cyberuser - 2014-03-11


    do anybody know a way to export all user certificates from ejbca 4.0.16. I want to migrate to ejbca 6.0.4. I'm ready with a new installation of ejbca 6.0.4. Now I want to migrate all data from ejbca 4.0.16 to ejbca 6.0.4.

    I'm able to export all CAs (see command line --> ejbca.sh ca exportca). Moreover I want to export the user/server/vpn certificates and import them in the new ejbca instance.
    Does anyone know an way respectively is it possible?

  • cyberuser

    cyberuser - 2014-03-17

    Can anyone help me?

    I've already done the following steps:

    1.exported all root and sub cas from ejbca 4.0.16 and imported them in ejbca 6.0.4 - no problem
    2.exported all certificate and end entity profiles and imported them in ejbca 6.0.4 - no problem

    Now I want to export all user certificates (with certificate history) and import them in the new version. I know that I have to export the mysql database entries but I don't know exactly which data should not be exported (tomcat, superadmin,...). In addition there are small changes in the database structure.
    Which tables and contents should be exported and which not.

    Can anyone help me?

  • Tomas Gustavsson

    Perhaps a silly question, but why didn't you just upgrade instead?

  • cyberuser

    cyberuser - 2014-03-17

    I decided to do a new installation because I want to update different componentes (new vm with new version of os, new version of jdk, new version of jboss, new version of ejbca for ca and ocsp responder).

    I think it is a good idea to do a clean new installation to get rid of the old and not needed stuff. Moreover I can test the new environment with the old data before I switch to productive system.

  • cyberuser

    cyberuser - 2014-03-17

    I was able to export all user certs with the help of mysqldump:

    mysqldump -u ejbca -p ejbca UserData --no-create-db --no-create-info --insert-ignore > UserData.sql
    mysqldump -u ejbca -p ejbca CertificateData --where="issuerDN NOT LIKE 'your initial ca'" --no-create-db --no-create-info --insert-ignore > CertificateData.sql

    Then you have to import these files in your new database tables e.g.

    mysql -u ejbca -p ejbca < UserData.sql

    I don't know if that is the right way. Does anyone has an advice?

    With the HistoryData I had no success:

    mysqldump -u ejbca-user -p ejbcadb CertReqHistoryData --where="issuerDN NOT LIKE 'your initial ca'" --no-create-db --no-create-info --insert-ignore > CertReqHistoryData.sql

    Does anyone has an idea?

  • cyberuser

    cyberuser - 2014-03-18


    am I doing something wrong or should it be done another way?

  • Tomas Gustavsson

    I honestly don't know really. Haven't had time to look closer into your posts. It is too advanced and takes too much time for me to look into detail. I just don't have that time at the moment.

    UserData and certificate data certainly are the most important tables. You can look into how the CLI commands for importcertificate soes thinks, but that requires some digging in the code for you.



Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks