[Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master

Jan Cholasta jcholast at redhat.com
Fri Jan 16 08:06:31 UTC 2015 

Hi,

I have updated 
<http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master> 
with information for IPA 4.0+.

Honza

Dne 15.1.2015 v 17:46 Rui Gomes napsal(a):
> Hello Rob,
>
> Thank you for the quick reply, I will give it a go, I wasn't sure if the links would work since most the of configuration for the dogtag in centos7 is different
> and commands like:
>
> "getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save"
>
> Do not apply, I will try to accommodate for the difference in versions, I might bug you guys again :)
>
>
> Regards
> Rui Gomes
>
>
> ----- Original Message -----
> From: "Rob Crittenden" <rcritten at redhat.com>
> To: "Rui Gomes" <rgomes at rvx.is>, freeipa-users at redhat.com
> Sent: Thursday, 15 January, 2015 16:20:46
> Subject: Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master
>
> Rui Gomes wrote:
>> Hello Guys,
>>
>> I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo.
>>
>> I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the master.
>>
>> I tried:
>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>
>> and:
>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html
>>
>> But they don't seem relevant to that specific setup, centos 7/ipa 4.1 can you guys give me some pointer how can I get my 4.1 replica to master?
>>
>> Regards
>> Rui Gomes
>>
>
> Every server in IPA is a master, the only distinction being whether it
> has a CA installed or not, and to a lesser extend DNS (all masters have
> the data, some may just not run the service).
>
> So if you have a master with a CA then you have a full IPA master.
>
> The only thing that distinguishes one master from another is due to
> order of installation due to two things that should only be done on one
> master: generate the CRL and handle CA subsysutem certificate renewal.
>
> The first IPA master installed is given these duties. To switch the CRL
> generator use the first link.
>
> The page is going to be updated soon to reflect how renewal should be
> handled on 4.0+ servers. The renewal master is now stored in LDAP so
> switching it is a lot easier.
>
> rob
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list