Hi, On Thu, Jul 6, 2023 at 9:55 AM Harald Dunkel via FreeIPA-users < [email protected]> wrote:
> Hi folks, > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/migrating_to_identity_management_on_rhel_8/index#assigning-the-ca-renewal-server-role-to-the-rhel-8-idm-server_migrate-7-to-8 > > describes how to move the CA renewal server from RHEL 7 to a new > host with RHEL 8, apparently for using a self-signed root CA. Is > this the same procedure for using an external root CA? Do I have > to create a CSR for the new host first, to be signed by the > external CA, and then import it? > If you have an externally-signed IPA CA and want to install a RHEL8 replica, the replica installation procedure does not involve the external CA. If you install the CA role on the replica (either with ipa-replica-install --setup-ca or ipa-replica-install followed by ipa-ca-install), the replica will get the same private key and IPA CA cert during the installation (and will have the same cert chain external root CA > IPA CA). When you decommission the RHEL7 server, you need to switch the CA renewal role to the RHEL8 server (the CA renewal role is set on single server, even if the CA role can be set on multiple servers) and the procedure does not care whether the IPA CA was self-signed or externally-signed. Do not forget to also transfer the CRL generation role to the RHEL8 server. Hope this clarifies, flo > > Sorry for asking, but I have the impression this detail is missing > in RedHat's documentation. Every insightful comment is highly > appreciated. > > Harri > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
