Erinn Looney-Triggs wrote:
> On 08/12/2014 11:49 AM, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> The documentation seems to be a little fuzzy on setting up two
>>> CAs, some parts indicate this is a bad idea because the CRLs can
>>> clobber each other, other parts, such as the migration guide from
>>> RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that
>>> is just for a short time.
>> It isn't a bad idea to stand up clones, you just need to understand
>> that this is one of the rare places where all masters are not
>> equal. One has to be designated as the CRL generator and one as the
>> CA renewal master. These don't have to be the same but it makes
>> sense to keep them together IMHO.
>> The reason to limit CRL generation to one master is the small
>> chance that you could end up with two CRLs with the same serial
>> number but containing different certificates. Remember that a CRL
>> is just a signed snapshot in time of revoked certificates.
>> Similarly for renewal it is vastly easier to do it on one host than
>> try to manage the race condition of them trying to renew at the
>> same time.
>>> What I am wondering, because I get a little nervous when all my
>>> data for the CA is on one host (backups aside), is whether there
>>> is a value, assuming that having two concurrent dogtag instances
>>> is a bad thing, to replicating the ipaca data in ldap. Just the
>>> data I mean, would it be possible, having just the LDAP data and
>>> whatever certs are in the replica file to basically reconstruct a
>>> CA?
>> Right, you want at least two CAs for redundancy. Some dogtag guru
>> could probably stand up a new CA using just the LDAP data and the
>> certs but I can't imagine it would be easy, even for them.
>> rob
> Ok, are there manual steps involved in that or does the --setup-ca on
> the replica just take care of everything.
> I certainly hope I am not looking in the wrong place, I just can't
> seem to find anything definitive in the docs.

--setup-ca does it all for you. Dogtag actually handles the creation of
the replication agreement so we don't do a lot other than to tell it the
remote server and provide the initial certs/keys.

You can use ipa-csreplica-manage to view/manage CA replication agreements.


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to