[Freeipa-users] I think I trashed my FreeIPA CA - how to recover?

[Bill Peck]

On Thu, Jan 15, 2015 at 3:26 AM, Jan Cholasta <jcholast at redhat.com> wrote:

> Hi,
>
> Dne 14.1.2015 v 14:54 Brian Topping napsal(a):
>
>> Hi Martin, thanks for your response!
>>
>>  What I realize now is the certificate CRL points to the server that
>>>> no longer exists and I'd like to get that cleaned up. I found
>>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>>> <http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>>> >,
>>>> is that relevant for my situation?
>>>>
>>>
>>> Yes, this is the procedure to follow for servers older than FreeIPA
>>> 4.1. Jan is
>>> that correct? If yes, the page deserves a warning/update.
>>>
>>
> This is the procedure to follow on IPA < 4.0. On IPA >= 4.0, the
> information about renewal master is stored in LDAP, but you still have to
> handle CRL master manually.
>

I'm still not clear what needs to be done on IPA >= 4.0 when promoting a
new CRL master.  Can that page be updated to state these instructions are
for IPA < 4.0 and include the manual piece you mention for IPA >= 4.0?

Thanks


>
>
>>>
>> Ooof! I forgot that vendor repos were so far behind. I'm still at
>> 3.3.3-28.
>>
>> Is it reasonable and desirable to run one of my two servers with the
>> image documented at
>> http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos?  I'm
>> interested in integrating Shiro or some other RBAC against IPA at some
>> point in the next few months, but I'd wait if the Docker image is a
>> prelude to 4.x hitting vendor repos soon.
>>
>> Cheers, Brian
>>
>
> Honza
>
> --
> Jan Cholasta
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150115/e5ee572f/attachment.htm>