Cloned-Master CA Conversion
In the event that the user needs to convert an existing cloned CA into a new master CA (e.
g., a catastrophic failure of the existing master CA), one needs to first convert the existing
offline master CA into a clone followed by converting one of the current existing online
cloned CAs into the new online master CA.
The difference between a master CA and a cloned CA are the following:
•
Master CAs control the database maintenance thread (this is disabled in cloned CAs)
•
Master CAs monitor database replication changes
•
Master CAs maintain the CRL cache
•
Master CAs generate the CRL
•
Cloned CAs redirect CRL generation requests
NOTE
Converting a Master CA into a Cloned CA
Since only one master CA can exist for a CS installation, the offline master must first be
converted into a cloned CA since one of the cloned CAs will become the new master CA
(see Converting a Cloned CA into a Master CA).
First, ensure that the existing master CA is not running:
Go to the existing master CA configuration directory at the command line:
1.
cd <serverRoot>/cert-<masterID>/config
Open the CS.cfg file for editing, and make the following changes:
2.
a.
Clones should never be configured to generate CRLs. Clones can revoke,
display, import, and download CRLs previously generated by master CAs,
but having them generate new CRLs may cause synchronization problems.
The rule is that only a single CA should generate CRLs, and this task is
always left to the master CA.
To disable control of the database maintenance thread, modify the following line if
it exists by changing the value to "0" (adding the line in if it does not already
exist):
ca.certStatusUpdateInterval=0
Cloned-Master CA Conversion
Chapter 17
Configuring CS for High Availability
659