10.4. Cloning OCSP Subsystems
- Configure the master OCSP, and back up the keys.
- In the
CS.cfg
file for the master OCSP, set theOCSP.Responder.store.defStore.refreshInSec
parameter to any non-zero number other than 21600; 21600 is the setting for a clone.# vim /etc/instance_name/CS.cfg OCSP.Responder.store.defStore.refreshInSec=15000
- Create the clone subsystem instance using the
pkispawn
utility.For examples of the configuration file required bypkispawn
when cloning OCSP subsystems, see the pkispawn(8) man page. - Restart the Directory Server instance used by the clone.
# systemctl dirsrv@instance_name.service
Note
Restarting the Directory Server reloads the updated schema, which is required for proper performance. - Restart the clone instance.
# systemctl restart pki-tomcatd@instance_name.service
After configuring the clone, test to make sure that the master-clone relationship is functioning:
- Set up OCSP publishing in the master CA so that the CRL is published to the master OCSP.
- Once the CRL is successfully published, check both the master and cloned OCSP's List Certificate Authorities link in the agent pages. The list should be identical.
- Use the
OCSPClient
tool to submit OCSP requests to the master and the cloned Online Certificate Status Manager. The tool should receive identical OCSP responses from both managers.