此内容没有您所选择的语言版本。

10.2. Cloning a CA


  1. Configure the master CA, and back up the keys.
  2. In the CS.cfg file for the master CA, enable the master CA to monitor replication database changes by adding the ca.listenToCloneModifications parameter:
    ca.listenToCloneModifications=true
  3. Create the clone subsystem instance.
    For examples of the configuration file required by pkispawn when cloning CA subsystems, see the Installing a CA clone and Installing a CA clone on the same host sections of the pkispawn(8) man page.
  4. Restart the Directory Server instance used by the clone.
    # systemctl restart pki-tomcatd@kra-clone-ds-instance.service

    Note

    Restarting the Directory Server reloads the updated schema, which is required for proper performance.
  5. Restart the clone instance.
    # systemctl restart pki-tomcatd@instance_name.service
After configuring the clone, test to make sure that the master-clone relationship is functioning:
  1. Request a certificate from the cloned CA.
  2. Approve the request.
  3. Download the certificate to the browser.
  4. Revoke the certificate.
  5. Check master CA's CRL for the revoked certificate. In the master Certificate Manager's agent services page, click Update Certificate Revocation List. Find the CRL in the list.
    The CRL should show the certificate revoked by the cloned Certificate Manager. If that certificate is not listed, check logs to resolve the problem.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.