Converting A Master Ca Into A Cloned Ca - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Subsystem
OCSP
DRM
TKS
Table 20.1. Differences Between Masters and Clones

20.4.1. Converting a Master CA into a Cloned CA

Since only one master CA can exist for a Certificate System installation, the offline master must first be
converted into a cloned CA, and one of the cloned CAs become the new master CA.
1. Stop the master CA if it is still running.
2. Open the existing master CA configuration directory:
cd /var/lib/master_ID/conf
3. Edit the CS.cfg file, and change the following:
• Disable control of the database maintenance thread by changing the value of the following line
to 0; add the line if it does not already exist:
ca.certStatusUpdateInterval=0
• Disable monitoring database replication changes by changing the value of the following line to
false; add the line if it does not already exist:
ca.listenToCloneModifications=false
• Disable maintenance of the CRL cache by changing all of the enableCRLCache lines from
true to false; add each line if it does not already exist:
ca.crl.IssuingPointId.enableCRLCache=false
• Disable CRL generation by changing all of the enableCRLUpdates lines from true to false;
add each line if it does not already exist:
ca.crl.IssuingPointId.enableCRLUpdates=false
Converting a Master CA into a Cloned CA
Differences
single CA should generate CRLs,
and this task is always left to the
master CA.
Clones have a unique configuration parameter,
OCSP.Responder.store.defStore.refreshInSec.
There are no configurable differences between a
master and a clone.
There are no configurable differences between a
master and a clone.
455