[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master
Rob Crittenden
rcritten at redhat.com
Fri Sep 11 13:29:09 UTC 2015
Craig White wrote:
> Following instructions from here
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
>
>
>
> RHEL6 server
>
> # rpm -qa ipa-server
>
> ipa-server-3.0.0-42.el6.x86_64
>
>
>
> RHEL7 server
>
> # rpm -q ipa-server
>
> ipa-server-4.1.0-18.el7_1.4.x86_64
>
>
>
> I am down to the part where I am trying to make the new RHEL7 server the
> master CA server
>
>
>
> On the RHEL6 system, I
>
> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
>
> Number of certificates and requests being tracked: 8.
>
> Request ID '20141022190721':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=STT.LOCAL
>
> subject: CN=CA Subsystem,O=STT.LOCAL
>
> expires: 2016-10-11 19:06:36 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
>
>
> and the post-save command is empty, doesnt track the page. Should I
> just ignore? I note that the output from this (save for different file
> path on RHEL6) indicates that the original RHEL6 is still CA Master
There was a bug in certmonger where the pre/post save commands wouldn't
display. I believe this was fixed, see if there is an updated package
available. Otherwise you'd have to poke around in the tracking files in
/var/lib/certmonger.
> The CRL generation master can be determined by looking at CS.cfg on each CA:
>
> # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
>
> ca.crl.MasterCRL.enableCRLUpdates=true
>
>
>
>
>
> Also, when I set up the second new IPA master, do I also make it a CA?
I'd say yes. You always at at least 2 masters with a CA.
rob
More information about the Freeipa-users
mailing list