2 files changed, 11 insertions, 3 deletions

diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
index 7ecbb0c8c..462e05455 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
@@ -195,6 +195,7 @@ public class CreateSubsystemPanel extends WizardPanelBase {
         }
 
         try {
+            String cstype = config.getString("cs.type", "");
             config.putString("preop.subsystem.name", HttpInput.getName(request, "subsystemName"));
 
             if (select.equals("newsubsystem")) {
@@ -214,7 +215,7 @@ public class CreateSubsystemPanel extends WizardPanelBase {
                         config.putBoolean(PCERT_PREFIX + tag + ".enable", false);
                 }
 
-                // get the master CA
+                // get the masterURL
                 String index = request.getParameter("urls");
                 String url = "";
 
@@ -243,8 +244,12 @@ public class CreateSubsystemPanel extends WizardPanelBase {
                     throw new IOException("Invalid clone URI provided.  Does not match the available subsystems in " +
                             "the security domain");
                 }
+                if (cstype.equals("CA")) {
+                    int https_admin_port = ConfigurationUtils.getPortFromSecurityDomain(domainXML,
+                                               host, https_ee_port, "CA", "SecurePort", "SecureAdminPort");
 
-                ConfigurationUtils.importCertChain(host, https_ee_port, "/ca/ee/ca/getCertChain", "clone");
+                    ConfigurationUtils.importCertChain(host, https_admin_port, "/ca/admin/ca/getCertChain", "clone");
+                }
             } else {
                 CMS.debug("CreateSubsystemPanel: invalid choice " + select);
                 context.put("updateStatus", "failure");
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
index 2e7f0616b..4304f5bf0 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
@@ -251,7 +251,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
             if (csType.equals("CA")) {
                 try {
-                    ConfigurationUtils.importCertChain(masterHost, masterPort, "/ca/ee/ca/getCertChain", "clone");
+                    int masterAdminPort = ConfigurationUtils.getPortFromSecurityDomain(domainXML,
+                            masterHost, masterPort, "CA", "SecurePort", "SecureAdminPort");
+                    ConfigurationUtils.importCertChain(masterHost, masterAdminPort, "/ca/admin/ca/getCertChain",
+                            "clone");
                 } catch (Exception e) {
                     e.printStackTrace();
                     throw new PKIException("Failed to import certificate chain from master" + e);