During cloning, the certificates and keys are transfered to the replica with the following procedure:

• A temporary NSS database is created

• Replica downloads PKCS#12 files for the following certificates:

  • caSigningCert cert-pki-ca

  • ocspSigningCert cert-pki-ca

  • auditSigningCert cert-pki-ca

  • subsystemCert cert-pki-ca

• The PKCS#12 files are imported with pk12util into the temporary NSS database

• All IPA CA certs are imported into the temporary NSS database as well

• The temporary NSS database is exported into one PKCS#12 file with PKCS12Export