10.5. Cloning KRA Subsystems
- Configure the master subsystem and back up the keys.
- Create the clone subsystem instance using the
pkispawnutility:$pkispawn -s <subsystem> -f myconfig.txtAn example of the configuration file required bypkispawnwhen cloning KRA subsystems:[DEFAULT] pki_admin_password=<Secret.123> pki_client_database_password=<Secret.123> pki_client_pkcs12_password=<Secret.123> pki_ds_password=<Secret.123> pki_security_domain_password=<Secret.123> pki_security_domain_hostname=<master_ca_hostname> pki_security_domain_https_port=<master_ca_https_port> pki_security_domain_user=caadmin [KRA] pki_clone=True pki_clone_pkcs12_password=<Secret.123> pki_clone_pkcs12_path=<path_to_pkcs12_file> pki_clone_replicate_schema=True pki_clone_uri=https://<master_subsystem_host:master_subsystem_https_port> pki_issuing_ca=https://<ca_hostname:ca_https_port>
- Restart the Directory Server instance used by the clone.
#systemctl dirsrv@instance_name.serviceNote
Restarting the Directory Server reloads the updated schema, which is required for proper performance. - Restart the clone instance.
# pki-server restart instance_name
For the KRA clone, test to make sure that the master-clone relationship is functioning:
- Go to the KRA agent's page.
- Click List Requests.
- Select Show all requests for the request type and status.
- Click Submit.
- Compare the results from the cloned KRA and the master KRA. The results ought to be identical.
