[Pki-users] CRL to file publishing on Clone CA

Hi, I have configured the same rules for CRL publishing on Master CA and two Clone CAs +ca.publish.enable=true +ca.publish.ldappublish.enable=false +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl +ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true +ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9 +ca.publish.rule.instance.FileCrlRule.enable=true +ca.publish.rule.instance.FileCrlRule.mapper=NoMap +ca.publish.rule.instance.FileCrlRule.pluginName=Rule +ca.publish.rule.instance.FileCrlRule.predicate= +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher +ca.publish.rule.instance.FileCrlRule.type=crl But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl directory. According to documentation https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/..., only one replicated CA can generate, cache, and publish CRLs. What are the best practices of publishing CRLs on Clone CA? Should I just sync CRL directory on both clones from master, or is there a better approach? Aleksey