Table of Contents Exporting PKI Database Importing PKI Database Fixing LDIF file Creating DS instance Importing PKI schema Applying PKI configuration changes Creating DS backend Creating suffix mapping entry Stopping DS instance Importing PKI database Starting DS instance Verification See Also

Use db2ldif to export PKI database:

$ db2ldif -Z pki-tomcat -U -n ca -a /tmp/ca.ldif

Newer DS server might have more restrictive attribute syntax. Edit /tmp/ca.ldif and perform the following changes:

• remove blank attributes (e.g. telephoneNumber)
• capitalize DomainManager and Clone attributes

Use the same settings to create the new DS instance:

$ setup-ds.pl --silent --\
        General.FullMachineName=$HOSTNAME\
        General.SuiteSpotUserID=nobody\
        General.SuiteSpotGroup=nobody\
        slapd.ServerPort=389\
        slapd.ServerIdentifier=pki-tomcat\
        slapd.Suffix=dc=example,dc=com\
        slapd.RootDN="cn=Directory Manager"\
        slapd.RootDNPwd=Secret.123

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 -f /usr/share/pki/server/conf/schema.ldif

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 -f /usr/share/pki/server/conf/database.ldif

$ ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=ca,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsBackendInstance
objectClass: extensibleObject
cn: ca
nsslapd-suffix: dc=ca,dc=example,dc=com
EOF

$ ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=dc\3Dca\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=ca,dc=example,dc=com
nsslapd-backend: ca
nsslapd-state: backend
EOF

$ systemctl stop [email protected]

$ ldif2db -Z pki-tomcat -n ca -i /tmp/ca.ldif

$ systemctl start [email protected]

$ ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -b "dc=ca,dc=example,dc=com"

• PKI LDAP