[Freeipa-users] Replicating o=ipaca

[Rob Crittenden]

Erinn Looney-Triggs wrote:
> The documentation seems to be a little fuzzy on setting up two CAs,
> some parts indicate this is a bad idea because the CRLs can clobber
> each other, other parts, such as the migration guide from RHEL 6.5 to
> 7 seem to indicate that it is ok, albeit maybe that is just for a
> short time.

It isn't a bad idea to stand up clones, you just need to understand that
this is one of the rare places where all masters are not equal. One has
to be designated as the CRL generator and one as the CA renewal master.
These don't have to be the same but it makes sense to keep them together
IMHO.

The reason to limit CRL generation to one master is the small chance
that you could end up with two CRLs with the same serial number but
containing different certificates. Remember that a CRL is just a signed
snapshot in time of revoked certificates.

Similarly for renewal it is vastly easier to do it on one host than try
to manage the race condition of them trying to renew at the same time.

> What I am wondering, because I get a little nervous when all my data
> for the CA is on one host (backups aside), is whether there is a
> value, assuming that having two concurrent dogtag instances is a bad
> thing, to replicating the ipaca data in ldap. Just the data I mean,
> would it be possible, having just the LDAP data and whatever certs are
> in the replica file to basically reconstruct a CA?

Right, you want at least two CAs for redundancy. Some dogtag guru could
probably stand up a new CA using just the LDAP data and the certs but I
can't imagine it would be easy, even for them.

rob