PS: I have derived another CA replica "ipa0" from ipa2.
certutil shows different trustargs again. Shouldn't ipa2
and the new ipa0 have identical trustargs?
[root@ipa0 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ipa2 has:
[root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
caSigningCert cert-pki-ca CTu,Cu,Cu
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE C,,
ocspSigningCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
Regards
Harri