Hi Fraser, Actually my goal would be to have two identical stand alone servers. For instance maybe add a server as a replica and then separate them from each other, or maybe export the CA's and issued certs and then import them to a new server.But I'm not sure how to do either of those.
I did try to add a server as a replica and then run ipa-replica-manage del server-name on both, but when I try to delete the master from the replica it complains that it can't be removed. I tried ipa-replica-manage del master-server-name --force and that works but then the ipa tools break and I can no longer login to the web portal. So i know I'm doing something wrong. Any advice would be helpful. Thanks, Ralph > On Tue, Oct 16, 2018 at 7:18 PM Fraser Tweedale <ftwee...@redhat.com> > wrote: > >> On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via >> FreeIPA-users wrote: >> > Hello, >> > I have a FreeIPA server that is currently running as a CA only, no >> clients >> > connect, no LDAP entries have ever been made, no DNS etc... The original >> > ipa CA is how it was setup during the initial install. >> > A second CA was created, company.com CA, and certs have been created >> from >> > this CA. >> > I've setup two new freeipa boxes and have them replicated and migrated >> our >> > openldap users and groups. >> > >> > What we would like to do now is to export the company,com CA from the >> > "freeipa CA only" and import it into the new freeipa environment. >> > I haven't been able to find anything about doing this in my web >> searches so >> > far. >> > >> > Can somebody help me with this? >> > >> > Thanks, >> > Ralph >> >> Hi Ralph, >> >> It's not clear what you want to accomplish. Do you want to: >> >> - Import the company.com CA certificate into FreeIPA so that IPA >> servers and clients will use it as a trusted CA? >> (Use `ipa-cacert-manage install` to do this). >> >> - Reissue the IPA CA certificate as a subordinate of the company.com >> CA? You can use `ipa-cacert-manage renew --external-ca` to do >> this. >> >> - Something else? >> >> Cheers, >> Fraser >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org