[Freeipa-users] I think I trashed my FreeIPA CA - how to recover?

[Martin Kosek]

On 01/13/2015 10:38 AM, Brian Topping wrote:
> On Jan 13, 2015, at 1:56 PM, Brian Topping <brian.topping at gmail.com> wrote:
>>
>> Hi folks, really pleased with the latest versions of FreeIPA. Very robust, quite impressive!

Good to hear! :-)

>>
>> In the process of setting it up, I ended up having to move servers a couple of times. The original server is gone, just replicas that installed cleanly with each other. 

Hmm, I hoped that after FreeIPA 3.2
(https://fedorahosted.org/freeipa/ticket/2879), FreeIPA should before warn
removing the last DNS/CA from the realm. If may indeed be a bug.

The point is that it is hard to recover when there is no master with PKI
configured and backup to use as some information are only on the PKI masters,
like the CA private key or other subsystem cert private keys.

> Ok, I think I have this sorted -- somewhat.
> 
> After pawing through the Tomcat configuration for Dogtag, I traced back to the pki-tomcatd at pki-tomcat.service <mailto:pki-tomcatd at pki-tomcat.service> not running. Once that started, the relevant information was available to the UI. There are a sufficient number of certificates that I think everything is in order. Whew.

Sounds promising.

> What I realize now is the certificate CRL points to the server that no longer exists and I'd like to get that cleaned up. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master <http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>, is that relevant for my situation?

Yes, this is the procedure to follow for servers older than FreeIPA 4.1. Jan is
that correct? If yes, the page deserves a warning/update.