On Fri, Oct 19, 2018 at 09:55:39AM -0400, Ralph Crongeyer via FreeIPA-users wrote: > We are trying to combine services and servers into FreeIPA. We have > opanldap for ldap, and a stand alone FreeIPA for CA / certs, this stand > alone has the DNS component installed, which we don't want to use in our > new environment. We want to migrate the old CA and openladp to a new > FreeIPA cluster. > I did what you suggested here: > > "Well, you can create a replica with a CA (`ipa-replica-install > --setup-ca` or `ipa-replica-install` and subsequent > `ipa-ca-install`). They will be exact replicas, all keys and > certificates will be the same on both masters. Then you can > separate them." > > But the separated replica is always broken because of the master's DNS > component. By broken I mean we can't log into the portal. > I'm not familiar with the DNS side of IPA but hopefully others can comment.
> The openldap migration is done, it's just the CA and certs migration that > I'm having problems with. > There is no way to deploy FreeIPA with an existing CA or keypair (it is on the roadmap). There is probably a hack to do it but AFAIK noone has investigated how and documented the process. And it would be unsupported. I recommend installing the new FreeIPA installation as a subordinate of the existing CA (instructions[1]). The certificates that were issued by the old CA will continue to be trusted by the new deployment. [1] https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html Then the main thing to consider is what to do about the certificates that were already issued. Is it possible you will need to revoke any? If so you should continue to operate the existing CA so that, if needed, you can revoke them, and CRLs and OCSP will continue to provide correct information. When all the relevant certificates that were issued by the old CA have expired, you can decommission it. If it is a small number of service certificates, you might consider just creating new keypairs (deleting the old) and issuing new certs from the new CA. Then you can immediately decommission the old CA. Cheers, Fraser > On Thu, Oct 18, 2018 at 10:27 PM Fraser Tweedale <[email protected]> > wrote: > > > On Thu, Oct 18, 2018 at 10:00:20AM -0400, Ralph Crongeyer via > > FreeIPA-users wrote: > > > Hi Fraser, > > > Actually my goal would be to have two identical stand alone servers. For > > > instance maybe add a server as a replica and then separate them from each > > > other, or maybe export the CA's and issued certs and then import them to > > a > > > new server.But I'm not sure how to do either of those. > > > > > Well, you can create a replica with a CA (`ipa-replica-install > > --setup-ca` or `ipa-replica-install` and subsequent > > `ipa-ca-install`). They will be exact replicas, all keys and > > certificates will be the same on both masters. Then you can > > separate them. > > > > > I did try to add a server as a replica and then run ipa-replica-manage > > del > > > server-name on both, but when I try to delete the master from the replica > > > it complains that it can't be removed. I tried ipa-replica-manage del > > > master-server-name --force and that works but then the ipa tools break > > and > > > I can no longer login to the web portal. So i know I'm doing something > > > wrong. > > > > > > > I'm not sure what the problem is here. Maybe someone else can weigh > > in. But in the end, I'm really not sure what problem you're trying > > to solve. Why would you want to create two identical masters and > > then "divorce" them? What problem are you trying to solve? > > > > Cheers, > > Fraser > > > > > Any advice would be helpful. > > > > > > Thanks, > > > Ralph > > > > > > > > > > > > > On Tue, Oct 16, 2018 at 7:18 PM Fraser Tweedale <[email protected]> > > > > wrote: > > > > > > > >> On Tue, Oct 16, 2018 at 01:23:11PM -0400, Ralph Crongeyer via > > > >> FreeIPA-users wrote: > > > >> > Hello, > > > >> > I have a FreeIPA server that is currently running as a CA only, no > > > >> clients > > > >> > connect, no LDAP entries have ever been made, no DNS etc... The > > original > > > >> > ipa CA is how it was setup during the initial install. > > > >> > A second CA was created, company.com CA, and certs have been > > created > > > >> from > > > >> > this CA. > > > >> > I've setup two new freeipa boxes and have them replicated and > > migrated > > > >> our > > > >> > openldap users and groups. > > > >> > > > > >> > What we would like to do now is to export the company,com CA from > > the > > > >> > "freeipa CA only" and import it into the new freeipa environment. > > > >> > I haven't been able to find anything about doing this in my web > > > >> searches so > > > >> > far. > > > >> > > > > >> > Can somebody help me with this? > > > >> > > > > >> > Thanks, > > > >> > Ralph > > > >> > > > >> Hi Ralph, > > > >> > > > >> It's not clear what you want to accomplish. Do you want to: > > > >> > > > >> - Import the company.com CA certificate into FreeIPA so that IPA > > > >> servers and clients will use it as a trusted CA? > > > >> (Use `ipa-cacert-manage install` to do this). > > > >> > > > >> - Reissue the IPA CA certificate as a subordinate of the company.com > > > >> CA? You can use `ipa-cacert-manage renew --external-ca` to do > > > >> this. > > > >> > > > >> - Something else? > > > >> > > > >> Cheers, > > > >> Fraser > > > >> > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > > To unsubscribe send an email to > > [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
