For failover protection and for availability for high-traffic subsystems, it is possible to clone an existing CA, DRM, TKS, or OCSP subsystem. To clone a subsystem, do the following:
-
Create a new instance using
pkicreate. -
Open the configuration wizard.
-
In the Security Domain panel, add the clone to the same security domain to which the master belongs.
-
The Subsystem Type panel sets whether to create a new instance or a clone; select the clone radio button.
-
Give the path and filename of the PKCS #12 backup file which was saved when the master instance was created. If a backup was not created at that time, use the
pk12utilutility to create a PKCS #12 file.
Note
When cloning a CA, the master and clone instances have the same CA signing key.
-
The subsystem information is automatically supplied from the master instance to the clone instance once the keys are successfully restored. Complete the configuration process.
-
Restart the clone instance.
/etc/init.d/instance-idrestart
For more information on using cloning as part of a deployment strategy, see Chapter 21, Configuring the Certificate System for High Availability.