10.8. Converting Masters and Clones

There can be any number of clones, but there can only be a single configured master. For DRMs and TKSs, there is no configuration difference between masters and clones, but CAs and OCSPs do have some configuration differences. This means that when a master is taken offline — because of a failure or for maintenance or to change the function of the subsystem in the PKI — then the existing master must be reconfigured to be a clone, and one of the clones promoted to be the master.

10.8.1. Converting CA Clones and Masters

  1. Stop the master CA if it is still running.
  2. Open the existing master CA configuration directory: 
    cd /var/lib/pki-ca/conf
  3. Edit the CS.cfg file for the master, and change the CRL and maintenance thread settings so that it is set as a clone:
    • Disable control of the database maintenance thread: 
      ca.certStatusUpdateInterval=0
    • Disable monitoring database replication changes: 
      ca.listenToCloneModifications=false
    • Disable maintenance of the CRL cache: 
      ca.crl.IssuingPointId.enableCRLCache=false
    • Disable CRL generation: 
      ca.crl.IssuingPointId.enableCRLUpdates=false
    • Set the CA to redirect CRL requests to the new master: 
      master.ca.agent.host=new_master_hostname
master.ca.agent.port=new_master_port
  4. Stop the cloned CA server. 
    service instance_name stop
  5. Open the cloned CA's configuration directory. 
    cd /etc/instance_name
  6. Edit the CS.cfg file to configure the clone as the new master.
    1. Delete each line which begins with the ca.crl. prefix.
    2. Copy each line beginning with the ca.crl. prefix from the former master CA CS.cfg file into the cloned CA's CS.cfg file.
    3. Enable control of the database maintenance thread; the default value for a master CA is 600. 
      ca.certStatusUpdateInterval=600
    4. Enable monitoring database replication: 
      ca.listenToCloneModifications=true
    5. Enable maintenance of the CRL cache: 
      ca.crl.IssuingPointId.enableCRLCache=true
    6. Enable CRL generation: 
      ca.crl.IssuingPointId.enableCRLUpdates=true
    7. Disable the redirect settings for CRL generation requests: 
      master.ca.agent.host=hostname
master.ca.agent.port=port number
  7. Start the new master CA server. 
    service instance_name start