Прохоров Сергей wrote: > Thank you, Rob for your response > > On 08.04.2015 21:07, Rob Crittenden wrote: >> I assume you can't do this because the original host is lost, right? > Year, you right. > >> Every IPA master is a equal, some are just more equal than others. The >> key bit that distinguishes them is whether there is a CA installed. The >> other bit has to do with CRL generation and renewal which in your >> version can only be done on one host (neither of which apply to >> --selfsign anyway). > > I want to clarify, I didn't use --selfsign key during primery server > installation. I suppose it's default key for CA, am I wrong? > On mycurrent ipa server (replica) I haven't CA. > >> You mention migrating. What new primary server? > I'm telling about installation of new freeipa server and copy all data > there.
That may be your best bet, but right now only users and groups are migrated, so that may not be adequate. >> So I'd start digging around to see if you have the original CA private >> key somewhere. The end of the IPA server install would have recommending >> backing up cacert.p12. >> > I have backup of cacert.p12 key. Theoretically it is possible to stand up a new CA instance using cacert.p12 but AFAIK nobody has worked out all the details. It would be a less-than-perfect solution anyway since knowledge of all currently-issued certs is lost. I'd suggest looking into migration. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project