Cloning a CAChapter 3 Certificate Manager 131During the cloning process, the master Certificate Manager’s SSL servercertificate is automatically copied to the certificate database of the cloneCertificate Manager. The clone Certificate Manager uses this certificate forSSL-client-authenticated communication with the master CertificateManager. Don’t be alarmed when you see the certificate in clone CertificateManagers’ certificate databases. Also, be sure not to remove them from themaster and clone Certificate Managers’ databases.Setting Up a Clone CA1. Shutdown the master CA. See “Starting, Stopping, and Restarting CMSInstances” on page 254.2. Copy the Master CA’s Certificate and Key DatabaseBecause you want the clone Certificate Manager to own the same keys andcertificates as that of the master Certificate Manager, you need to makeavailable the keys and certificates used by the master Certificate Manager toeach clone Certificate Manager.❍ If the master Certificate Manager’s keys and certificates are stored in theinternal/software token, you need to copy the certificate and key databasefiles from the master Certificate Manager to each clone CertificateManager. Here’s how you do this:I. In the master Certificate Manager’s host machine, go to this directory:/aliasII. Locate the certificate and key database files; the file names are asfollows:cert---cert8.dbcert---key3.dbIII. In the clone Certificate Manager’s host machine, go to this directory:/aliasIV. Copy the certificate and key database files from the master CertificateManager to the clone.V. Repeat steps III and IV to copy the master Certificate Manager’scertificate and key database files to the alias directory of each cloneCertificate Manager.❍ If the master Certificate Manager’s keys and certificates are stored in thehardware token, you need to copy the keys and certificates following theinstructions provided by the hardware-token vendor.
