[Freeipa-users] IPA PKI Questions

Kendal Montgomery kmontgomery at cbuscollaboratory.com
Wed Apr 26 15:33:40 UTC 2017 

Hi all,

I’ve been struggling the last few days with rebuilding part of my FreeIPA infrastructure, which has lead me to some questions about how some of the IPA infrastructure works.  To give a bit of background, I have two IPA servers (my initially installed IPA server, and a replica) both of which have DNS, NTP, and CA roles.  I’m running CentOS 7.3, FreeIPA 4.4 currently (upgraded from original CentOS 7 installations which I believe was FreeIPA 4.1? initiall).  I have several remote sites that each have two IPA server replicas that have replication topology segments for domain and ca suffixes back to the two on-prem IPA servers.  This has been working quite well for over a year now, through the upgrades, etc.  Occasionally I get an issue with getting some conflicting records in LDAP, which I’ve cleared up by following some of the documentation out there.  It seems when this happens however, I end up getting into a situation where replication stops working, and I end up needing to “refresh” the installations. I have done this once so far, and am in the process again currently, by deleting each remote IPA server (ipa server-del), then re-installing each server to get a clean copy of the databases for everything.  Last time I had no issues doing this.  This time around, I’m running into some issues with the CA setup.  I seem to be able to run ipa-replica-install just fine without the --setup-ca option.  I may be running into some issues identified in an earlier post this week, so I’ll ask about this issue separately if I continue to have problems.  In working through these issues, I realized I don’t really know enough about how the interaction between the IPA clients and IPA server is working, with regard to the PKI infrastructure.  I have some questions on what server roles I need at each site and how the PKI infrastructure works within the IPA environment, and how the clients communicate to it:


1)       How do the IPA clients discover servers with the CA role and use them?

2)       Is all this interaction done through APIs on the IPA server – in other words, are these requests fielded by the IPA server and proxied somehow to known servers with the CA role?

3)       Do the clients need “direct” access to a server with the CA role to request and obtain certificates and renewals? (i.e. do I need each IPA server to have the CA role)?

4)       Is it sufficient to just have one server with CA role at each site?  Or even just one at the main on-prem site?


Kendal Montgomery
DevOps Engineer / Lab Manager
[cid:image001.png at 01D2BE80.F3B914D0]
Empowering collective insights
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170426/bf5f6e20/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10201 bytes
Desc: image001.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170426/bf5f6e20/attachment.png>

More information about the Freeipa-users mailing list