10.3. Cloning a CA

  1. Configure the master CA, as described in Section 7.6.2.1, “Configuring a CA”, and back up the keys.
  2. In the CS.cfg file for the master CA, enable the master CA to monitor replication database changes by adding the ca.listenToCloneModifications parameter:
    cd /etc/instance_name
    
    ca.listenToCloneModifications=true
  3. Create the clone subsystem instance.

    IMPORTANT

    Do not go through the setup wizard for the instance yet.
  4. Copy the exported PKCS#12 file containing the master instance's keys to the clone's alias/ directory.
    The keys for the master instance could have been exported to a .p12 file when the instance was configured. Alternatively, the keys can be exported using the PKCS12Export command, as in Section 10.2, “Exporting Keys from a Software Database”.
  5. Make sure the PKCS#12 file is accessible by the Certificate System user. If necessary, change the file owner to pkiuser and reset the permissions to allow the correct read/write access. For example:
    chown pkiuser:pkiuser example.p12
    chmod 00644 example.p12
  6. It may be necessary to reset the SELinux permissions for the exported file so that the setup program can use it. First, check what context is assigned:
    ls -lZ *
    -rw-------. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 cert8.db
    -rw-------. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 key3.db
    -rw-r--r--. pkiuser pkiuser system_u:object_r:nfs_t:s0 example.p12  
    -rw-------. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 secmod.db
    If it does not match the other security files, then reset the SELinux context to that of the other objects using chcon:
    chcon "system_u:object_r:pki_ca_var_lib_t:s0" example.p12
    
    ls -lZ *
    -rw-------. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 cert8.db
    -rw-------. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 key3.db
    -rw-r--r--. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 example.p12  
    -rw-------. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 secmod.db
  7. Open the setup wizard URL, which was returned when the instance was created. For example:
    http://server.example.com:9180/ca/admin/console/config/login?pin=HIsd90RJSioDK==
  8. In the Security Domain panel, add the clone to the same security domain to which the master belongs.
  9. The Subsystem Type panel sets whether to create a new instance or a clone; select the clone radio button.
  10. Give the path and filename of the PKCS #12 backup file which was saved when the master instance was created or that were exported in 4.
    If the keys are stored on an HSM that is accessible to the clone, then they are picked up automatically.

    NOTE

    When cloning a CA, the master and clone instances have the same CA signing key.
  11. The subsystem information is automatically supplied from the master instance to the clone instance once the keys are successfully restored. Complete the configuration process.
    When configuring the LDAP database, there are three critical configuration changes that must be made:
    • The clone must use a different Directory Server instance but must have the same suffix name.
    • By default, the instance configuration wizard uses localhost as the location for the internal LDAP database for a new instance. However, with cloning, the configuration process will spin endlessly and never complete if localhost is used for the internal database location, even if the LDAP database is indeed installed on the localhost.
      Use the fully-qualified domain name for the LDAP database in the Internal Database panel when configuring a clone.
    • The subsystem can connect to its database over a special secure port using SSL or over the regular port. However, the clone can only use a secure connection if the master was first set up to use a secure connection to the database, and it must use the same type of connection (SSL or unencrypted) as the master. If the master and clone use a regular, unencrypted connection, then the clone has the option to use Start TLS (a secure connection over an unsecure port) for replication between the master Directory Server database and the clone database.

      IMPORTANT

      Even if the clone connects to the master over a secure connection, the standard LDAP port (389 by default) must still be open and enabled on the LDAP server while cloning is configured.
      For secure environments, the standard LDAP port can be disabled on the master's Directory Server instance once the clone is configured.
  12. Edit the CS.cfg file for the clone. Certain parameters must be added to the clone configuration to disable caching and generating CRLs.
    • Disable control of the database maintenance thread:
      ca.certStatusUpdateInterval=0
    • Disable monitoring database replication changes:
      ca.listenToCloneModifications=false
    • Disable maintenance of the CRL cache:
      ca.crl.IssuingPointId.enableCRLCache=false
    • Disable CRL generation:
      ca.crl.IssuingPointId.enableCRLUpdates=false
    • Enable the clone to redirect CRL requests to the master clone:
      master.ca.agent.host=master_hostname
      master.ca.agent.port=master_port
  13. Restart the Directory Server instance used by the clone.
    service instance_name restart drm-clone-ds-instance

    NOTE

    Restarting the Directory Server reloads the updated schema, which is required for proper performance.
  14. Restart the clone instance.
    service instance_name restart
After configuring the clone, test to make sure that the master-clone relationship is functioning:
  1. Request a certificate from the cloned CA.
  2. Approve the request.
  3. Download the certificate to the browser.
  4. Revoke the certificate.
  5. Check master CA's CRL for the revoked certificate. In the master Certificate Manager's agent services page, click Update Certificate Revocation List. Find the CRL in the list.
    The CRL should show the certificate revoked by the cloned Certificate Manager. If that certificate is not listed, check logs to resolve the problem.