[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

Craig White CWhite at skytouchtechnology.com
Thu Sep 10 22:47:27 UTC 2015 

Following instructions from here...
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

RHEL6 server
# rpm -qa ipa-server
ipa-server-3.0.0-42.el6.x86_64

RHEL7 server
# rpm -q ipa-server
ipa-server-4.1.0-18.el7_1.4.x86_64

I am down to the part where I am trying to make the new RHEL7 server the master CA server

On the RHEL6 system, I
# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
Number of certificates and requests being tracked: 8.
Request ID '20141022190721':
        status: MONITORING
        stuck: no
        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=STT.LOCAL
        subject: CN=CA Subsystem,O=STT.LOCAL
        expires: 2016-10-11 19:06:36 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

and the 'post-save' command is empty, doesn't track the page. Should I just ignore? I note that the output from this (save for different file path on RHEL6) indicates that the original RHEL6 is still CA Master
The CRL generation master can be determined by looking at CS.cfg on each CA:
# grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
ca.crl.MasterCRL.enableCRLUpdates=true


Also, when I set up the second new IPA master, do I also make it a CA?

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png at 01CF86FE.42D51630]

SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150910/94a3f98d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7660 bytes
Desc: image001.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150910/94a3f98d/attachment.png>

More information about the Freeipa-users mailing list