The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.

The some other classes have been modified to provide better
debugging information.

https://fedorahosted.org/pki/ticket/2374

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Steps to reproduce:

1. Install CA and KRA on master:

$ ipa-server-install -U -r EXAMPLE.COM -p Secret123 -a Secret123
$ ipa-kra-install -p Secret123

2. Install CA and KRA on replica:

$ ipa-client-install -U --server server.example.com --domain example.com \
  --realm EXAMPLE.COM -p admin -w Secret123
$ echo Secret123 | kinit admin
$ ipa-replica-install -U --setup-ca -p Secret123 -w Secret123
$ ipa-kra-install -p Secret123

Actual result: Success! The KRA installation on replica succeeded!