Configuration information is not updated in clone instances if it is made after the clone is created. Likewise, changes made to a clone are not copied back to the master instance.
If a new KRA is installed or cloned after a clone CA is created, then the clone CA does not have the new KRA connector information in its configuration. This means that the clone CA ignores any archival requests from the KRA because it does not recognize it as a legitimate client.
Whenever a new KRA is created or cloned, copy its connector information into all of the cloned CAs in the deployment.
On the master clone machine, open the master CA's
CS.cfg file, and copy all of the
ca.connector.KRA.* lines for the new KRA connector.
[root@master ~]# vim /var/lib/pki/instance_name/conf/ca/CS.cfg
Stop the clone CA instance. For example:
[root@clone-ca ~] systemctl stop pki-tomcatd@instance_name.service
Open the clone CA's
[root@clone-ca ~]# vim /var/lib/pki/instance_name/conf/ca/CS.cfg
Copy in the connector information for the new KRA instance or clone.
Start the clone CA.
[root@clone-ca ~] systemctl start pki-tomcatd@instance_name.service