Thank you, Rob for your response
On 08.04.2015 21:07, Rob Crittenden wrote:
I assume you can't do this because the original host is lost, right?
Year, you right.
Every IPA master is a equal, some are just more equal than others. The key bit that distinguishes them is whether there is a CA installed. The other bit has to do with CRL generation and renewal which in your version can only be done on one host (neither of which apply to --selfsign anyway).
I want to clarify, I didn't use --selfsign key during primery server installation. I suppose it's default key for CA, am I wrong? On mycurrent ipa server (replica) I haven't CA.
You mention migrating. What new primary server?
I'm telling about installation of new freeipa server and copy all data there.
So I'd start digging around to see if you have the original CA private key somewhere. The end of the IPA server install would have recommending backing up cacert.p12.
I have backup of cacert.p12 key. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project