[Freeipa-users] ipa-replica-install --setup-ca: do or don't?

Mon Dec 28 20:12:39 UTC 2015

On Mon, 2015-12-28 at 19:18 +0100, Karl Forner wrote:
> > There is no need to have a CA on every ipa server, so a CA is not
> > installed by default.
> 
> What is the downside of having every replica as a CA ?

A CA is relatively heavyweight as the dogtag code brings up a whole java
VM, also it means duplicating the CA private key on more servers. Plus
there is additional DS replication (for the CA database).

This is why the compromise was to not install the CA by default. We have
since been thinking that maybe the first replica should have the CA by
default but this hasn't been done (and I can't find a ticket for it).

> Because in case of big trouble with your master, if your replica is not a
> CA you can not replace your master from this replica right ?
> In particular you can not make another replica from your existing replica.

Now that we have changed the way replicas are created, at domain level
1, it may be a good RFE to ask to make it possible to install w/o CA by
generating a self signed cert for HTTP only.

Simo.

> On Mon, Dec 28, 2015 at 7:11 PM, Simo Sorce <simo at redhat.com> wrote:
> 
> > On Mon, 2015-12-28 at 13:10 +0100, Harald Dunkel wrote:
> > > Hi folks,
> > >
> > > how comes that '--setup-ca' is not the default for
> > > ipa-replica-install? What is best practice wrt creating
> > > a local ca on the replicas?
> > >
> > > Every insightful comment is highly appreciated.
> >
> > There is no need to have a CA on every ipa server, so a CA is not
> > installed by default.
> >
> > You can pass --setup-ca at install time or you can use ipa-ca-install
> > later on.
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

-- 
Simo Sorce * Red Hat, Inc * New York