此内容没有您所选择的语言版本。
10.7. Converting Masters and Clones
Only one single active CA generating CRLs can exist within the same topology. Similarly, only one OCSP receiving CRLs can exist within the same topology. As such, there can be any number of clones, but there can only be a single configured master for CA and OCSP.
For KRAs and TKSs, there is no configuration difference between masters and clones, but CAs and OCSPs do have some configuration differences. This means that when a master is taken offline — because of a failure or for maintenance or to change the function of the subsystem in the PKI — then the existing master must be reconfigured to be a clone, and one of the clones promoted to be the master.
10.7.1. Converting CA Clones and Masters
- Stop the master CA if it is still running.
- Open the existing master CA configuration directory:
# cd /var/lib/pki/instance_name/ca/conf
- Edit the
CS.cfg
file for the master, and change the CRL and maintenance thread settings so that it is set as a clone:- Disable control of the database maintenance thread:
ca.certStatusUpdateInterval=0
- Disable monitoring database replication changes:
ca.listenToCloneModifications=false
- Disable maintenance of the CRL cache:
ca.crl.IssuingPointId.enableCRLCache=false
- Disable CRL generation:
ca.crl.IssuingPointId.enableCRLUpdates=false
- Set the CA to redirect CRL requests to the new master:
master.ca.agent.host=new_master_hostname master.ca.agent.port=new_master_port
- Stop the cloned CA server.
# systemctl stop pki-tomcatd@instance_name.service
- Open the cloned CA's configuration directory.
# cd /etc/instance_name
- Edit the
CS.cfg
file to configure the clone as the new master.- Delete each line which begins with the
ca.crl.
prefix. - Copy each line beginning with the
ca.crl.
prefix from the former master CACS.cfg
file into the cloned CA'sCS.cfg
file. - Enable control of the database maintenance thread; the default value for a master CA is
600
.ca.certStatusUpdateInterval=600
- Enable monitoring database replication:
ca.listenToCloneModifications=true
- Enable maintenance of the CRL cache:
ca.crl.IssuingPointId.enableCRLCache=true
- Enable CRL generation:
ca.crl.IssuingPointId.enableCRLUpdates=true
- Disable the redirect settings for CRL generation requests:
master.ca.agent.host=hostname master.ca.agent.port=port number
- Start the new master CA server.
# systemctl start pki-tomcatd@instance_name.service
10.7.2. Converting OCSP Clones
- Stop the OCSP master, if it is still running.
- Open the existing master OCSP configuration directory.
# cd /etc/instance_name
- Edit the
CS.cfg
, and reset theOCSP.Responder.store.defStore.refreshInSec
parameter to21600
:OCSP.Responder.store.defStore.refreshInSec=21600
- Stop the online cloned OCSP server.
# systemctl stop pki-tomcatd@instance_name.service
- Open the cloned OCSP responder's configuration directory.
# cd /etc/instance_name
- Open the
CS.cfg
file, and delete theOCSP.Responder.store.defStore.refreshInSec
parameter or change its value to any non-zero number:OCSP.Responder.store.defStore.refreshInSec=15000
- Start the new master OCSP responder server.
# systemctl start pki-tomcatd@instance_name.service