When migrating from a non-EJBCA CA it is useful to be able to create a link certificate by accessing the HSM directly, in case the old CA software is not able to produce the link certificate for some reason (e.g. it might need an extension, such as the name change extension).
There's already a patch, it just needs to be checked in to SVN.
Here's how to use the functionality:
$ java -jar dist/clientToolBox/clientToolBox.jar PKCS11HSMKeyTool
SLOT_LABEL:nameofslot CSCA_OLD.cacert.pem CSCA_NEW.cacert.pem
You need binary certificates (.cvcert) for the CVCA and PEM certificates
for the X509 CA. The certificate type (CVC/X509) is automatically
detected. The output is always in binary format (CVCERT or DER)