Well, I've managed to goof something up. Copied the ASCII from the latest one, from
"primary", to the CS.cfg file on both servers, copied the
/etc/pki/pki-tomcat/alias directory from the "primary" to the
"secondary" and restarted pki-tomcat on both servers. That all said it worked.
However, restarting ipa on the "secondary" now dies at pki-tomcatd. Logs
showed an error of "Enter password for Internal Key Storage Token" and then the
dreaded repeating "WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@14444612 background process" for five minutes
until it fails. Ugh.