Table of Contents
Advertisement
ca.crl.IssuingPointId.enableCRLUpdates=false
• Enable the clone to redirect CRL requests to the master clone:
master.ca.agent.host=master_hostname
master.ca.agent.port=master_port
12. Restart the clone instance.
service subsystem_name restart
After configuring the clone, test to make sure that the master-clone relationship is functioning:
1. Request a certificate from the cloned CA.
2. Approve the request.
3. Download the certificate to the browser.
4. Revoke the certificate.
5. Check master CA's CRL for the revoked certificate. In the master Certificate Manager's agent
services page, click Update Certificate Revocation List. Find the CRL in the list.
The CRL should show the certificate revoked by the cloned Certificate Manager. If that certificate
is not listed, check logs to resolve the problem.
6.4. Cloning OCSP Subsystems
1. Configure the master OCSP, as described in
and back up the keys.
2. In the CS.cfg file for the master OCSP, set the
OCSP.Responder.store.defStore.refreshInSec parameter to any non-zero number other
than 21600; 21600 is the setting for a clone.
vim /etc/subsystem_name/CS.cfg
OCSP.Responder.store.defStore.refreshInSec=15000
3. Create the clone subsystem instance.
IMPORTANT
Do not go through the setup wizard for the instance yet.
4. Copy the exported PKCS#12 file containing the master instance's keys to the clone's alias/
directory.
Section 3.5, "Configuring a DRM, OCSP, or
Cloning OCSP Subsystems
TKS",
85
Advertisement
Table of Contents
