Hi Rob, Rich and all,

 After read through all the mails in the list and the 2.2.0 document, It is 
still not clear how to promote a IPA replica to master after the master is dead.

  The basic setup is: 

 IPA 2.2.0 Master A; and IPA 2.2.0 replica B installed from A with '--setup-ca' 
option. That means, both A and B are running CA. According to 2.2.0 manual at 
chapter 18.8.1. All the steps, 1--5, are making no differences.

 So the problem turns into: how to let B has the root signing key, the 
following stanza are copied from chapter 
18.8.1. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/promoting-replica.html

The only difference between a replica in the IPA topology and the master server 
is that the master owns the master CA in the PKI hierarchy. The 
master CA is the authoritative CA; it has the root CA signing key and 
generates CRLs which are distributed among the other servers and 
replicas in the topology. A replica database is cloned (or copied) 
directly from that master database. 

How to let B has the root signing key? Is that as simple as: overwrite B's 
/root/cacert.p12 from A (which I already saved in subversion)?

Thanks a lot.

Freeipa-users mailing list

Reply via email to