8.4. Installing a Clone Subsystem Using an HSM

Normally, clone subsystems are created using a PKCS #12 file containing the system keys of the master subsystem. This file is generated during the installation of the master subsystem by setting the pki_backup_keys to True in the configuration file you use for the installation along with the defined value for the pki_backup_password option, or by exporting the keys using the PKCS12Export tool.
You cannot generate a PKCS #12 file using this tool when using an HSM because the keys cannot be retrieved from the HSM. Instead, the clone subsystem should either be pointed to the HSM used by the master subsystem, so that it can access the same keys. Alternatively, if using a separate HSM, clone the keys to this HSM using the utilities provided by the HSM vendor. You must provide access to the master subsystem's key before running the pkispawn utility.
As Certificate System uses no PKCS #12 when installing with an HSM, you do not need to set the parameters in the configuration file for the location of a PKCS #12 file and its password. The following example lists options from the [Tomcat] section of the respective PKI configuration file that are required for generating a CA clone.
For generating a non-HSM CA clone:
  • pki_clone=True
  • pki_clone_pkcs12_password=Secret123
  • pki_clone_pkcs12_path=<path_to_pkcs12_file>
  • pki_clone_replicate_schema=True (default value)
  • pki_clone_uri=https://<master_ca_host_name>:<master_ca_https_port>
For generating a CA clone using an HSM:
  • pki_clone=True
  • pki_clone_replicate_schema=True (default value)
  • pki_clone_uri=https://<master_ca_host_name>:<master_ca_https_port>

Note

In order for the master subsystem to share the same certificates and keys with its clones, the HSM must be on a network that is in shared mode and accessible by all subsystems.