[Freeipa-users] Promoting a replica to a FreeIPA server without primary server
Rob Crittenden
rcritten at redhat.com
Thu Apr 9 14:01:06 UTC 2015
Прохоров Сергей wrote:
> Thank you, Rob for your response
>
> On 08.04.2015 21:07, Rob Crittenden wrote:
>> I assume you can't do this because the original host is lost, right?
> Year, you right.
>
>> Every IPA master is a equal, some are just more equal than others. The
>> key bit that distinguishes them is whether there is a CA installed. The
>> other bit has to do with CRL generation and renewal which in your
>> version can only be done on one host (neither of which apply to
>> --selfsign anyway).
>
> I want to clarify, I didn't use --selfsign key during primery server
> installation. I suppose it's default key for CA, am I wrong?
> On mycurrent ipa server (replica) I haven't CA.
>
>> You mention migrating. What new primary server?
> I'm telling about installation of new freeipa server and copy all data
> there.
That may be your best bet, but right now only users and groups are
migrated, so that may not be adequate.
>> So I'd start digging around to see if you have the original CA private
>> key somewhere. The end of the IPA server install would have recommending
>> backing up cacert.p12.
>>
> I have backup of cacert.p12 key.
Theoretically it is possible to stand up a new CA instance using
cacert.p12 but AFAIK nobody has worked out all the details. It would be
a less-than-perfect solution anyway since knowledge of all
currently-issued certs is lost.
I'd suggest looking into migration.
rob
More information about the Freeipa-users
mailing list