David, The simplest solution may be as Rob suggests - which is to create a new CA as a subordinate of the old.
The other solution would be doable but would require a few more manual steps. That is, you could: 1. install a new ca 2. switch out the certs in that ca with the ones in your gpg file. The certificate database is in /var/lib/pki-ca/alias 3. There may be some manual changes required in /etc/pki-ca/CS.cfg, but as the nicknames should be the same, you might be ok. 4. If you go this route, you probably want to change the lower point of the serial number ranges used for certs/ requests in CS.cfg to not reuse serial numbers for certs you have already issued. 4. Switch out the ipa agent cert/keys in the IPA cert database. You will run into problems later though because you have lost the data in the dogtag database. In particular, because the renewal process uses the original requests (which are stored in the dogtag database), you will likely be unable to renew the certs you have already issued unless you rekey those certs. That may be OK for most certs, but you may not want to do that for the CA signing cert. In that case, you will likely need to instrument something to reconstruct the original request. Ade On Thu, 2012-05-10 at 16:50 -0400, Rob Crittenden wrote: > David Copperfield wrote: > > Hi Petr and all, > > > > All the chapter your have pointed out is read many times, but that > > doesn't help at all. > > > > My problem is: the Dogtag system ran on the IPA master ONLY before the > > IPA Master crashes. Now I have to do the following: > > > > 1, install and run Dogtag system on IPA replica -- the document > > mentioned it -- 'ipa-ca-install' and etc. > > > > 2, promote the IPA replica into new IPA Master -- document mentioned it > > but not clear -- regarding the /root/cacert.p12 key file and the replica > > file under /var/lib/ipa. > > > > 3, how to recover the dogtag systems' data (different LDAP backend) > > existed on the IPA master before it crashes? > > > > Other close questions include: > > > > what are included in the replica definition file > > /var/lib/ipa/replica-info-ipareplica01.example.com.gpg? where is the > > signing key and how to open the .gpg file? > > # gpg -d /path/to/replica.gpg | tar xf - > > The password is the Directory Manager password. > > You have limited options since your CA was a single point of failure and > it failed. The root CA private keys should be in the replica file so > there may be ways to recover, all of them will require significant > manual effort. > > We have no way to add a new CA to an existing IPA installation outside > of ipa-ca-install so we'll need to give that some thought. I think the > simplest way to fix this is to create a new CA as a subordinate of the > original one. The existing certs should still be trusted (except for the > agent cert) so mass rekeying won't be necessary. > > Another option is to install a new CA and try to replace key with the > original. We'd need to think long-term about this effort and you'd want > to renew all issued certificates so they will be revokable. > > rob > > > > > > Thanks. > > > > --David > > > > ------------------------------------------------------------------------ > > *From:* Petr Spacek <pspa...@redhat.com> > > *To:* freeipa-users@redhat.com > > *Sent:* Thursday, May 10, 2012 2:45 AM > > *Subject:* Re: [Freeipa-users] How to rebuild IPA master? > > > > On 05/10/2012 02:24 AM, Steven Jones wrote: > > > Hi, > > > > > > In case everyone else is asleep now...... > > > > > > Do you have access to RH documentation? the 6.3beta admin guide > > section 18.8 > > > talks about why and how to make a replicate a master. > > > > Just for completeness: > > Documentation is publicly available: http://docs.redhat.com/ > > > > Documentation for IPA beta: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/index.html > > > > Documentation for latest stable IPA: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html > > > > > > > > eg., > > > > > > "NOTE > > > All servers and replicas which host a CA are peers in the topology. > > They can > > > all issue certificates > > > and keys to IPA clients, and they all replicate information amongst > > themselves. > > > The only reason to promote a replica or server to be a master server > > is if the > > > master server is > > > being taken offline. There has to be a root CA which can issue CRLs and > > > ultimately validate > > > certificate checks. > > > Aside from that, replicas, servers, and the master server are all > > equal peers." > > > > > > regards > > > > > > Steven Jones > > > > > > Technical Specialist - Linux RHCE > > > > > > Victoria University, Wellington, NZ > > > > > > 0064 4 463 6272 > > > > > > > > ------------------------------------------------------------------------------ > > > *From:* freeipa-users-boun...@redhat.com > > <mailto:freeipa-users-boun...@redhat.com> > > [freeipa-users-boun...@redhat.com > > <mailto:freeipa-users-boun...@redhat.com>] on > > > behalf of David Copperfield [cao2...@yahoo.com > > <mailto:cao2...@yahoo.com>] > > > *Sent:* Thursday, 10 May 2012 11:04 a.m. > > > *To:* Rob Crittenden; Freeipa-users@redhat.com > > <mailto:Freeipa-users@redhat.com> > > > *Subject:* [Freeipa-users] How to rebuild IPA master? > > > > > > Hi all, > > > > > > I've a IPA master/replica setup in our development environment. > > Unfortunately > > > our IPA master crashed, the replica is working fine. Now I have the > > IPA master > > > re-imaged. > > > > > > What are the steps I have to follow to re-create the IPA master from > > running > > > IPA replica? Before crash the IPA master ran dogtag certificate > > system, while > > > the IPA replica didn't -- created normally without the --setup-ca option. > > > > > > Thanks. > > > > > > --David > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
