-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/12/2014 11:49 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> The documentation seems to be a little fuzzy on setting up two >> CAs, some parts indicate this is a bad idea because the CRLs can >> clobber each other, other parts, such as the migration guide from >> RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that >> is just for a short time. > > It isn't a bad idea to stand up clones, you just need to understand > that this is one of the rare places where all masters are not > equal. One has to be designated as the CRL generator and one as the > CA renewal master. These don't have to be the same but it makes > sense to keep them together IMHO. > > The reason to limit CRL generation to one master is the small > chance that you could end up with two CRLs with the same serial > number but containing different certificates. Remember that a CRL > is just a signed snapshot in time of revoked certificates. > > Similarly for renewal it is vastly easier to do it on one host than > try to manage the race condition of them trying to renew at the > same time. > >> What I am wondering, because I get a little nervous when all my >> data for the CA is on one host (backups aside), is whether there >> is a value, assuming that having two concurrent dogtag instances >> is a bad thing, to replicating the ipaca data in ldap. Just the >> data I mean, would it be possible, having just the LDAP data and >> whatever certs are in the replica file to basically reconstruct a >> CA? > > Right, you want at least two CAs for redundancy. Some dogtag guru > could probably stand up a new CA using just the LDAP data and the > certs but I can't imagine it would be easy, even for them. > > rob >
Ok, are there manual steps involved in that or does the --setup-ca on the replica just take care of everything. I certainly hope I am not looking in the wrong place, I just can't seem to find anything definitive in the docs. Thanks, - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT6nChAAoJEFg7BmJL2iPOxjoH/i3fOKoJX1jFyMyP8L7KQZIA c+H94PnvGrsNXUtA7nlfFAvkLj0k1H9lib5vxPwTAF+XGAY4EsxlxFU8e//aIKOw yjDNqIVOoTa0OAVWNDDOFXyCZrmuvgpTLawk0iGSorWljPYWoQBaZvRmJo6l9MAO QyKtBIrrhrese9iNTvg3qbR6teIHRTnoQ5QftE0dxvDlrSqc1sj2GppRoVGVqwqv jETT6sq1IJaiFF3wBBso58vC5vLFqu8xkdF7g8nhRXnMX2oG50WHRtFoYvaGRlNf pHfojyuZn9XhVmLvqAIi0da6T6iwtR1UvwwkVndLqso59iB6KgSx6GA/pfqJd8k= =V5A3 -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
