According to the install docs, some additional config is required on the clone post-install to ensure that CRLs are generated in only one place.
This config should really be done by pkispawn.
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/cloning-a-ca.html
(see instruction 12)
It looks like there are post-install steps on the OCSP too.
Per CS/DS Meeting of 03/09/2015: 10.2.3
Notes on final checkin:
The value of
ocsp.store.defStore.refreshInSec is being set to 14400 to mesh with the default CRL generation and pub schedule as per cfu's request.
The final solution for the OCSP clone is is to NOT have the OCSP clones register themselves to the CA for publishing. We for the time being will rely upon replication to keep the OCSP clones updated to the master. There is a single point of failure issue here which will be addressed in a soon to be new ticket that will allow a set of OCSP clones to publish until success and quit. Right now it looks like the publishers are treated at separate entities.
Metadata Update from @vakwetu: - Issue assigned to jmagne - Issue set to the milestone: 10.2.4
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1856
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.