Note: This patch is intended for Dogtag 10.1. Once approved, it will also need to be applied to the 'master' branch.

-------- Original Message --------

Subject:	[Pki-devel] [PATCH] TRAC Ticket #816 - pki-tomcat cannot be started after installation of ipa replica with ca [20140225]
Date:	Tue, 25 Feb 2014 17:31:50 -0800
From:	Matthew Harmsen <mharmsen@redhat.com>
To:	pki-devel <pki-devel@redhat.com>

This patch causes the 'sslserver' certificate for a CA clone to be signed by its associated master CA during configuration, and resolves the following bug:

Dogtag TRAC Ticket #816 - pki-tomcat cannot be started after installation of ipa replica with ca

This was necessary to avoid any changes which may have been made to the X500Name directory string encoding order (i. e. - creating a Cloned CA on Fedora 20 from a Master CA on Fedora 19).The code was tested (applying the CAVEAT below) via end-to-end 'pkispawn' installation and batch-based configuration; it has not yet been tested with GUI-based configuration.CAVEAT:

During the preparation of this patch it was discovered that an end-to-end test of functionality cannot be accomplished due to the 389 TRAC Ticket #47721 - Schema Replication Issue which prevents the '99user.ldif' file from being properly replicated from the Master CA to the Cloned CA. However, I verified that this code does work by shutting down DS on the cloned CA machine, manually replacing '/etc/dirsrv/slapd-<clone>/schema/99user.ldif' with '/etc/dirsrv/slapd-<master>/schema/99user.ldif, restarting DS and the Cloned CA, and successfully performing a test enrollment.