3.3. Updating CA-KRA Connector Information After Cloning

Configuration information is not updated in clone instances if it is made after the clone is created. Likewise, changes made to a clone are not copied back to the master instance.
If a new KRA is installed or cloned after a clone CA is created, then the clone CA does not have the new KRA connector information in its configuration. This means that the clone CA ignores any archival requests from the KRA because it does not recognize it as a legitimate client.
Whenever a new KRA is created or cloned, copy its connector information into all of the cloned CAs in the deployment.
  1. On the master clone machine, open the master CA's CS.cfg file, and copy all of the ca.connector.KRA.* lines for the new KRA connector.
    [root@master ~]# vim /var/lib/pki/instance_name/conf/ca/CS.cfg
  2. Stop the clone CA instance. For example:
    [root@clone-ca ~] systemctl stop pki-tomcatd@instance_name.service
  3. Open the clone CA's CS.cfg file.
    [root@clone-ca ~]# vim /var/lib/pki/instance_name/conf/ca/CS.cfg
  4. Copy in the connector information for the new KRA instance or clone.
    ca.connector.KRA.enable=true
    ca.connector.KRA.host=server-kra.example.com
    ca.connector.KRA.local=false
    ca.connector.KRA.nickName=subsystemCert cert-pki-ca
    ca.connector.KRA.port=8443
    ca.connector.KRA.timeout=30
    ca.connector.KRA.transportCert=MIIDbD...ZR0Y2zA==
    ca.connector.KRA.uri=/kra/agent/kra/connector
  5. Start the clone CA.
    [root@clone-ca ~] systemctl start pki-tomcatd@instance_name.service