[Freeipa-users] migration 3.3->4.1 & CA change

Jan Cholasta jcholast at redhat.com
Thu Oct 23 07:00:22 UTC 2014


Dne 23.10.2014 v 08:47 Petr Spacek napsal(a):
> On 22.10.2014 22:06, William Graboyes wrote:
>> Hash: SHA512
>> Hello List,
>> So the whole not being able to change the CA easily is becoming a
>> regular point of contention in meetings.  If I have read the e-mails
>> on this list correctly this issue is fixed in 4.1.  After spending a
>> large amount of time thinking about this, I believe I have come to a
>> solution that will appease management, my coworkers, and myself.
>> Here is what I am thinking of doing.  I am thinking I will install
>> FC21 VM with free-IPA (which should be 4.1) then migrating my current
>> install over there, followed by changing the CA to that of my
>> contracted CA and third party issuer.
>> The questions that come to mind are:
>> 1) how does one migrate the information over to a new install, in this
>> case 3.3 to 4.1 on separate servers?
> You should be able to simply add FreeIPA 4.1 replica to existing 3.3
> deployment. Please make sure that your 3.3 it updated with latest
> packages, older versions of DS had some problems with replication to
> newest version AFAIK.
>> 2) is there any documentation on the process of changing the CA in 4.1?
> Honza, can you add some details?

You can fid more info at 

>> 3) am I insane for wanting to introduce FC21 into my environment?
>> 4) has anyone done this, and what was your experience with doing so?


Jan Cholasta

More information about the Freeipa-users mailing list