Ian Pilcher via FreeIPA-users wrote: > (Hopefully Thunderbird will only send one copy of this. Sorry about the > previous duplicate.) > > I run a single FreeIPA server (on CentOS 7) in my home network, and I'm > thinking of migrating it to Fedora. AFAICT, doing this as an actual > upgrade will require multiple cycles of creating a newer FreeIPA server, > adding it as a replica, removing the older server, lather, rinse, > repeat. > > I'm only using FreeIPA for its DNS, certificate authority, and LDAP > authentication capabilities, and my home network isn't that large, so > I'm considering simply installing a new server and re-creating the > various users, hosts, services, and DNS zones/entries. (I don't have > any systems that are truly managed with FreeIPA.) > > Thus, it would be nice if the new FreeIPA server could use the same > root CA certificate as the existing one. I believe that I can do this > by passing the --external-cert-file option to ipa-server-install, but > I need both the certificate and the private key of the root CA to do so. > > Thus, I'm wondering how I can extract the root CA private key from my > existing CentOS 7 (FreeIPA 4.6.8) server.
One reason for the RHEL 7 -> RHEL 8 -> RHEL 9 migration requirement is due to crypto changes between them. You'd probably have the same issue trying to create a replica from a RHEL 7 server unless you tweaked the crypto policy and even then I'm not sure it would work. The CA is stored in the NSS database /etc/pki/pki-tomcat/alias. You can use pk12util to extract it into a PKCS#12, then extract that and you'll have the CA. This would keep the CA trust the same but with a fresh install you'd need new keytabs for any enrolled clients. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
