Hi,

I have configured the same rules for CRL publishing on Master CA and two Clone CAs

+ca.publish.enable=true
+ca.publish.ldappublish.enable=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
+ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
+ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
+ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
+ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
+ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
+ca.publish.rule.instance.FileCrlRule.enable=true
+ca.publish.rule.instance.FileCrlRule.mapper=NoMap
+ca.publish.rule.instance.FileCrlRule.pluginName=Rule
+ca.publish.rule.instance.FileCrlRule.predicate=
+ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
+ca.publish.rule.instance.FileCrlRule.type=crl

But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl directory.

According to documentation https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Planning_Installation_and_Deployment_Guide/Cloning_a_Subsystem.html#cloning-for-cas, only one replicated CA can generate, cache, and publish CRLs.

What are the best practices of publishing CRLs on Clone CA? Should I just sync CRL directory on both clones from master, or is there a better approach?

Aleksey