David Copperfield wrote:
Hi Rob, Rich and all,

After read through all the mails in the list and the 2.2.0 document, It
is still not clear how to promote a IPA replica to master after the
master is dead.

The basic setup is:

IPA 2.2.0 Master A; and IPA 2.2.0 replica B installed from A with
'--setup-ca' option. That means, both A and B are running CA. According
to 2.2.0 manual at chapter 18.8.1. All the steps, 1--5, are making no

So the problem turns into: how to let B has the root signing key, the
following stanza are copied from chapter 18.8.1.

The only difference between a replica in the IPA topology and the master
server is that the master owns the master CA in the PKI hierarchy. The
master CA is the authoritative CA; it has the root CA signing key and
generates CRLs which are distributed among the other servers and
replicas in the topology. A replica database is cloned (or copied)
directly from that master database.

How to let B has the root signing key? Is that as simple as: overwrite
B's /root/cacert.p12 from A (which I already saved in subversion)?

It already has the root signing key. The only difference is which one generates the CRL. The dogtag guys have told us that the first server installed is automatically the CRL generator and that the clones are not configured this way. It is unclear that this is actually the case in practice, AFAIK the dogtag team is working with our doc writer to clarify this.

But in short the only thing to do is change the CRL generator per those instructions. It is otherwise already a full CA. If none or all of them are generating a CRL it isn't the end of the world either way, you could just end up with slightly different CRLs on different masters which can be confusing.

/root/cacert.p12 is not used by a running server.


Freeipa-users mailing list

Reply via email to