Mike Mercier wrote: That would be the primary domain as there should be no such cloned domain. The security domain is a configuration registry for the PKI services that provides with much easier configuration mechanisms to connect the different sub systems's trusted relations and policies, versus having to do all those configurations manually like in older versions of the product, this helps a lot when setting KRA, OCSP, TKS with a CA. The cloned CA must belong to the same "security domain" as the "master" CA instance. Although you can create and select any "security domain" you have, the cloned subsystems must belong to the same "security domain", or at least to the same "security domain" of their respective "masters" if you have several "security domains". (and each sub system can only belong to one "security domain" at a time) A root ca should probably have its own "security domain". It is fairly flexible and settings may depend on your needs. Some doc: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Gu... There will be an updated documentation for RHCS 8.0 sometime soon. M.