[Freeipa-users] I think I trashed my FreeIPA CA - how to recover?

Jan Cholasta jcholast at redhat.com
Fri Jan 16 08:05:47 UTC 2015 

Dne 15.1.2015 v 15:29 Bill Peck napsal(a):
>
>
> On Thu, Jan 15, 2015 at 3:26 AM, Jan Cholasta <jcholast at redhat.com
> <mailto:jcholast at redhat.com>> wrote:
>
>     Hi,
>
>     Dne 14.1.2015 v 14:54 Brian Topping napsal(a):
>
>         Hi Martin, thanks for your response!
>
>                 What I realize now is the certificate CRL points to the
>                 server that
>                 no longer exists and I'd like to get that cleaned up. I
>                 found
>                 http://www.freeipa.org/page/__Howto/Promote_CA_to_Renewal___and_CRL_Master
>                 <http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>
>                 <http://www.freeipa.org/page/__Howto/Promote_CA_to_Renewal___and_CRL_Master
>                 <http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master>>,
>                 is that relevant for my situation?
>
>
>             Yes, this is the procedure to follow for servers older than
>             FreeIPA
>             4.1. Jan is
>             that correct? If yes, the page deserves a warning/update.
>
>
>     This is the procedure to follow on IPA < 4.0. On IPA >= 4.0, the
>     information about renewal master is stored in LDAP, but you still
>     have to handle CRL master manually.
>
>
> I'm still not clear what needs to be done on IPA >= 4.0 when promoting a
> new CRL master.  Can that page be updated to state these instructions
> are for IPA < 4.0 and include the manual piece you mention for IPA >= 4.0?
>
> Thanks

I have updated the page with information for current versions of IPA.

>
>
>
>
>         Ooof! I forgot that vendor repos were so far behind. I'm still
>         at 3.3.3-28.
>
>         Is it reasonable and desirable to run one of my two servers with the
>         image documented at
>         http://seven.centos.org/2014/__12/freeipa-4-1-2-and-centos
>         <http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos>?  I'm
>         interested in integrating Shiro or some other RBAC against IPA
>         at some
>         point in the next few months, but I'd wait if the Docker image is a
>         prelude to 4.x hitting vendor repos soon.
>
>         Cheers, Brian
>
>
>     Honza
>
>     --
>     Jan Cholasta
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/__mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     Go To http://freeipa.org for more info on the project
>
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list