Прохоров Сергей wrote:
> Thank you, Rob for your response
> On 08.04.2015 21:07, Rob Crittenden wrote:
>> I assume you can't do this because the original host is lost, right? 
> Year, you right.
>> Every IPA master is a equal, some are just more equal than others. The
>> key bit that distinguishes them is whether there is a CA installed. The
>> other bit has to do with CRL generation and renewal which in your
>> version can only be done on one host (neither of which apply to
>> --selfsign anyway).
> I want to clarify, I didn't use --selfsign key during primery server
> installation. I suppose it's default key for CA, am I wrong?
> On mycurrent ipa server (replica) I haven't CA.
>> You mention migrating. What new primary server?
> I'm telling about installation of  new freeipa server and copy all data
> there.

That may be your best bet, but right now only users and groups are
migrated, so that may not be adequate.

>> So I'd start digging around to see if you have the original CA private
>> key somewhere. The end of the IPA server install would have recommending
>> backing up cacert.p12.
> I have backup of cacert.p12 key.

Theoretically it is possible to stand up a new CA instance using
cacert.p12 but AFAIK nobody has worked out all the details. It would be
a less-than-perfect solution anyway since knowledge of all
currently-issued certs is lost.

I'd suggest looking into migration.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to