Hi, We've installed a replicated 7Server IPA setup with a internal CA. Now, due to corporate policies we need to migrate to a no-CA setup (because we need to use corporate signed Certificates and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA replicated IPA to 8Server no-CA replicated IPA.
ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica with the corporate certificates straight away. What would be the correct procedure? I've come up with the following steps: 1. install the new 8Server replicas without CA, (They will get the self-signed certificates from existing 7Server master (first master)) 2. first add corporate root CA to both 7Server and 8Server nodes systems ca-bundle.trust.crt 3. manually replace HTTP and LDAP certificates with corporated signed certificates 4. remove 7Server replica and first master, so we end up with the no-CA 8Server nodes only I'm wondering whether replication will still be functional when performing step 3, but I can perform additional testing on that. We are running production with our setup, so we need a 'online' migration strategy. Would this be the best approach or do I need another solution? ;-) _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
