Thank you, Rob for your response

On 08.04.2015 21:07, Rob Crittenden wrote:
I assume you can't do this because the original host is lost, right?
Year, you right.

Every IPA master is a equal, some are just more equal than others. The
key bit that distinguishes them is whether there is a CA installed. The
other bit has to do with CRL generation and renewal which in your
version can only be done on one host (neither of which apply to
--selfsign anyway).

I want to clarify, I didn't use --selfsign key during primery server
installation. I suppose it's default key for CA, am I wrong?
On mycurrent ipa server (replica) I haven't CA.

You mention migrating. What new primary server?
I'm telling about installation of  new freeipa server and copy all data
So I'd start digging around to see if you have the original CA private
key somewhere. The end of the IPA server install would have recommending
backing up cacert.p12.

I have backup of cacert.p12 key.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to