Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Migration Steps

An already existing Certifier installation can be migrated from one host to another by performing these steps.

Except when otherwise indicated, the information applies to both Unix and Windows versions of SSH Tectia Certifier.

  • Install the new Certifier

    On Unix: Install the installation package (rpm/pkg/depot) to the new host as described in SSH Tectia Certifier Administrator's Guide, but do not run the ssh-ca-setup script yet.

    On Windows: Install SSH Tectia Certifier to the new host by running the setup and selecting the Full Installation option.

  • Shutdown the old installation

    As you definitely do not want to lose any events (revocations, issuances etc.) happening during the migration process, you must first stop your old installation. However, in order to avoid a break in certificate validation, you must ascertain that none of the CRLs are about to expire during the migration. This is done with the administration interface System Shutdown request in the System Configuration Menu.

    After shutting down the Certifier Engine with the System Shutdown request, the database and the server must be also stopped. Please run the ssh-ca-stop script (see Section Starting and Stopping Certifier Manually).

  • Disable database log mirroring

    If you have enabled Sybase database log mirroring (either with ssh-ca-backupconf or manually with the Sybase tools), you must disable mirroring before proceeding with migration and enable it again on the target system after migration.

    Database mirroring can be disabled with ssh-ca-backupconf, see Section Setting up Backup Procedure.

  • Disable database live backup

    If you have enabled Sybase database remote live backupping, you must disable the live backup before proceeding and enable it again on the target system after migration. If you need assistance with this step, please use your your official support e-mail account to contact us.

  • Backup the old installation

    On Unix: Backup your installation with the ssh-ca-backup tool (see ssh-ca-backup).

    Just run the following command (as the certifier user, not as root):


    By default the backup is stored under var/bak/ca-backup-current under the Certifier directory.

    Note: if you have set up a regular backup routine with ssh-ca-backupconf (see Section Setting up Backup Procedure), the result gets stored to the directory specified in the backup configuration.

    On Windows: Backup your old installation. See Appendix Setting up Backup Procedure for more information.

  • Transfer the backup

    On Unix: Transfer the fresh backup to the new host. The exact steps depend on your host/network setup. If the new host is accessible with a Secure Shell connection , this might be achieved with the following commands:

    cd /opt/certifier/var/bak
    tar cf - ca-bak-current | ssh root@your-new-host \
    "mkdir /opt/certifier/var/migration ; cd /opt/certifier/var/migration; tar xf -"

    On Windows: Transfer the old installation (or backup) to the new host:

    1. Copy the database file and database log to the default location (C:\sshcertifierdb) in the new host.
    2. Copy also the files in the var\pki directory to the new host.
    3. Change the DBA password to default value in the ssh_certifier_file_dsn.DSN file. That is, replace the line containing PWD=<random_password> with PWD=SQL.

  • Transfer your hardware crypto modules

    If your Certifier installation includes crypto hardware modules, they must be migrated to the new host as well. Please consult your hardware crypto module documentation/support for details.

  • Setup the new Certifier

    On Unix: Run the ssh-ca-setup as described in Section Installing Certifier in the Administrator's Guide.


    On Windows: You must manually run following commands in the new host to complete the upgrade and OS migrate operation:

    ssh_certifier_db_unload.bat u C:\sshcertifierdb
    ssh_ca_tool.exe -G

  • Subordinate Servers

    Subordinate server installations are not migrated, as their configurations live in the main installation database. When migrating old subordinate servers to new hosts, perform the following steps:

    • Create a new PSK for each of the old subordinate servers with the admin GUI. See Section Server Entity.
    • Install the subordinate server packages as instructed in SSH Tectia Certifier Administrator's Guide.
    • Use the new PSKs when setting up the servers.

  • Checklist

    After migration, please check at least the following details in the Certifier configuration.

    • Hostnames in the service configurations
    • CN in certificates of TLS enabled web services
    • Engine address in subserver configuration file conf/server.conf
    • Your database setup is in desired state with respect to:
      • Automated backup routine
      • Database log mirroring
      • Database live backup

    Please note that the Certifier syslog files (certifier/var/log/engine.log and certifier/var/log/server.log in a default installation) are not transferred from the old host to the new host with this procedure. You should copy or archive those files manually as appropriate.

  • Cleanup

    Unix only: Remove the var/migration directory from your new host.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now