[Freeipa-users] ipa-replica-install --setup-ca: do or don't?
Karl Forner
karl.forner at gmail.com
Mon Dec 28 18:18:46 UTC 2015
> There is no need to have a CA on every ipa server, so a CA is not
> installed by default.
What is the downside of having every replica as a CA ?
Because in case of big trouble with your master, if your replica is not a
CA you can not replace your master from this replica right ?
In particular you can not make another replica from your existing replica.
On Mon, Dec 28, 2015 at 7:11 PM, Simo Sorce <simo at redhat.com> wrote:
> On Mon, 2015-12-28 at 13:10 +0100, Harald Dunkel wrote:
> > Hi folks,
> >
> > how comes that '--setup-ca' is not the default for
> > ipa-replica-install? What is best practice wrt creating
> > a local ca on the replicas?
> >
> > Every insightful comment is highly appreciated.
>
> There is no need to have a CA on every ipa server, so a CA is not
> installed by default.
>
> You can pass --setup-ca at install time or you can use ipa-ca-install
> later on.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151228/bb1efe31/attachment.htm>
More information about the Freeipa-users
mailing list