diff --git a/.gitignore b/.gitignore
index 2bb3dbc..1f2da7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-10.9.0-b2.tar.gz
+SOURCES/pki-10.9.2.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index 0f8efb1..94b0c5c 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-7a900dcf24422f7756649fbed42b6a033f9204b7 SOURCES/pki-10.9.0-b2.tar.gz
+0bb690cc30b9e8c358b4e818f640177a491cf504 SOURCES/pki-10.9.2.tar.gz
diff --git a/SOURCES/0002-Fix-permissions-when-installing-clone.patch b/SOURCES/0002-Fix-permissions-when-installing-clone.patch
new file mode 100644
index 0000000..c2028ee
--- /dev/null
+++ b/SOURCES/0002-Fix-permissions-when-installing-clone.patch
@@ -0,0 +1,51 @@
+From 1753780b47c6935816d5419dafcea667fb01fed4 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 21 Aug 2020 10:15:53 -0400
+Subject: [PATCH] Fix permissions when installing clone
+
+When pkispawn runs, it executes as root. However, rarely is PKI
+installed as root. The resulting permissions on ca.crt are 600,
+preventing later pki-server migrate command from running, as it
+runs as pkiuser, who doesn't have access to ca.crt. Fix the
+permissions when we initially create ca.crt to be owned by pkiuser.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ .../deployment/scriptlets/security_databases.py       | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+index 613ffdc17..80a5856e9 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
++++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+@@ -198,10 +198,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+             # Export CA certificate to PEM file; same command as in
+             # PKIServer.setup_cert_authentication().
+             # openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes -nokeys
++            pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt')
+             cmd_export_ca = [
+                 'openssl', 'pkcs12',
+                 '-in', pki_clone_pkcs12_path,
+-                '-out', os.path.join(pki_server_database_path, 'ca.crt'),
++                '-out', pki_ca_crt_path,
+                 '-nodes',
+                 '-nokeys',
+                 '-passin', 'pass:' + pki_clone_pkcs12_password
+@@ -210,6 +211,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+                                              stderr=subprocess.STDOUT).decode('utf-8')
+             logger.debug('Result of CA certificate export: %s', res_ca)
+ 
++            # At this point, we're running as root. However, the subsystem
++            # will eventually start up as non-root and will attempt to do a
++            # migration. If we don't fix the permissions now, migration will
++            # fail and subsystem won't start up.
++            pki.util.chmod(pki_ca_crt_path, 0o644)
++            pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'],
++                           deployer.mdict['pki_gid'])
++
+         ca_cert_path = deployer.mdict.get('pki_cert_chain_path')
+         if ca_cert_path and os.path.exists(ca_cert_path):
+             destination = os.path.join(instance.nssdb_dir, "ca.crt")
+-- 
+2.26.2
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index cf0485a..73994ff 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -10,9 +10,11 @@ URL:              http://www.dogtagpki.org/
 # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
 License:          GPLv2 and LGPLv2
 
-Version:          10.9.0
-Release:          0.4%{?_timestamp}%{?_commit_id}%{?dist}
-%global           _phase -b2
+# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase.
+# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase.
+Version:          10.9.2
+Release:          2%{?_timestamp}%{?_commit_id}%{?dist}
+#global           _phase -a1
 
 # To create a tarball from a version tag:
 # $ git archive \
@@ -29,6 +31,7 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
 Patch1: 0001-Removed-dependency-on-pytest-runner.patch
+Patch2: 0002-Fix-permissions-when-installing-clone.patch
 
 ################################################################################
 # NSS
@@ -50,7 +53,13 @@ Patch1: 0001-Removed-dependency-on-pytest-runner.patch
 # Java
 ################################################################################
 
-%define java_home %{_usr}/lib/jvm/jre-1.8.0-openjdk
+%define java_home /usr/lib/jvm/jre-openjdk
+
+%if 0%{?fedora} && 0%{?fedora} >= 33
+%define min_java_version 1:11
+%else
+%define min_java_version 1:1.8.0
+%endif
 
 ################################################################################
 # RESTEasy
@@ -157,7 +166,8 @@ BuildRequires:    make
 BuildRequires:    cmake >= 3.0.2
 BuildRequires:    gcc-c++
 BuildRequires:    zip
-BuildRequires:    java-1.8.0-openjdk-devel
+BuildRequires:    java-devel >= %{min_java_version}
+BuildRequires:    javapackages-tools
 BuildRequires:    redhat-rpm-config
 BuildRequires:    ldapjdk >= 4.22.0
 BuildRequires:    apache-commons-cli
@@ -330,7 +340,7 @@ PKI consists of the following components:
 
 Summary:          PKI Symmetric Key Package
 
-Requires:         java-1.8.0-openjdk-headless
+Requires:         java-headless >= %{min_java_version}
 Requires:         jpackage-utils >= 0:1.7.5-10
 Requires:         jss >= 4.7.0
 Requires:         nss >= 3.38.0
@@ -398,7 +408,7 @@ This package contains PKI client library for Python 3.
 Summary:          PKI Base Java Package
 BuildArch:        noarch
 
-Requires:         java-1.8.0-openjdk-headless
+Requires:         java-headless >= %{min_java_version}
 Requires:         apache-commons-cli
 Requires:         apache-commons-codec
 Requires:         apache-commons-io
@@ -491,6 +501,7 @@ Requires:         tomcat >= 1:9.0.7
 %endif
 
 Requires:         velocity
+Requires:         systemd
 Requires(post):   systemd-units
 Requires(preun):  systemd-units
 Requires(postun): systemd-units
@@ -820,7 +831,8 @@ cd build
     -DVERSION=%{version}-%{release} \
     -DVAR_INSTALL_DIR:PATH=/var \
     -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
-    -DJAVA_HOME=%{java_home} \
+    -DJAVA_HOME=%java_home \
+    -DPKI_JAVA_PATH=%java \
     -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
     -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
     -DAPP_SERVER=$app_server \
@@ -1316,6 +1328,30 @@ fi
 
 ################################################################################
 %changelog
+* Tue Aug 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.2-2
+- Bug #1871064 - Replica install failing during pki-ca component configuration
+
+* Tue Aug 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.2-1
+- Rebased to PKI 10.9.2
+
+* Wed Aug 12 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.1-2
+- Bug #1857933 - CA Installation is failing with ncipher v12.30 HSM
+- Bug #1868233 - Disabling AIA and cert policy extensions in ACME examples
+
+* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.1-1
+- Rebased to PKI 10.9.1
+- Bug #1426572 - Fix Secure connection issue when server is down
+
+* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-1
+- Rebased to PKI 10.9.0
+
+* Fri Jul 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.7
+- Fixed pki kra-key-generate failure
+- Fixed error handling in PKIRealm
+
+* Fri Jul 10 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.6
+- Rebased to PKI 10.9.0-b4
+
 * Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.4
 - Rebased to PKI 10.9.0-b2