[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

Fri Sep 11 15:46:17 UTC 2015

On 09/11/2015 03:29 PM, Rob Crittenden wrote:
> Craig White wrote:
>> Following instructions from here…
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
>>
>>  
>>
>> RHEL6 server
>>
>> # rpm -qa ipa-server
>>
>> ipa-server-3.0.0-42.el6.x86_64
>>
>>  
>>
>> RHEL7 server
>>
>> # rpm -q ipa-server
>>
>> ipa-server-4.1.0-18.el7_1.4.x86_64
>>
>>  
>>
>> I am down to the part where I am trying to make the new RHEL7 server the
>> master CA server
>>
>>  
>>
>> On the RHEL6 system, I
>>
>> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20141022190721':
>>
>>         status: MONITORING
>>
>>         stuck: no
>>
>>         key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
>>
>>         certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>>         CA: dogtag-ipa-renew-agent
>>
>>         issuer: CN=Certificate Authority,O=STT.LOCAL
>>
>>         subject: CN=CA Subsystem,O=STT.LOCAL
>>
>>         expires: 2016-10-11 19:06:36 UTC
>>
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>
>>         pre-save command:
>>
>>         post-save command:
>>
>>         track: yes
>>
>>         auto-renew: yes
>>
>>  
>>
>> and the ‘post-save’ command is empty, doesn’t track the page. Should I
>> just ignore? I note that the output from this (save for different file
>> path on RHEL6) indicates that the original RHEL6 is still CA Master
> 
> There was a bug in certmonger where the pre/post save commands wouldn't
> display. I believe this was fixed, see if there is an updated package
> available. Otherwise you'd have to poke around in the tracking files in
> /var/lib/certmonger.

I think Rob meant this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1181022

It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows
about other similar fixes.

> 
>> The CRL generation master can be determined by looking at CS.cfg on each CA:
>>
>> # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
>>
>> ca.crl.MasterCRL.enableCRLUpdates=true
>>
>>  
>>
>>  
>>
>> Also, when I set up the second new IPA master, do I also make it a CA?
> 
> I'd say yes. You always at at least 2 masters with a CA.
> 
> rob
> 