Following instructions from here... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
RHEL6 server # rpm -qa ipa-server ipa-server-3.0.0-42.el6.x86_64 RHEL7 server # rpm -q ipa-server ipa-server-4.1.0-18.el7_1.4.x86_64 I am down to the part where I am trying to make the new RHEL7 server the master CA server On the RHEL6 system, I # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" Number of certificates and requests being tracked: 8. Request ID '20141022190721': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=STT.LOCAL subject: CN=CA Subsystem,O=STT.LOCAL expires: 2016-10-11 19:06:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes and the 'post-save' command is empty, doesn't track the page. Should I just ignore? I note that the output from this (save for different file path on RHEL6) indicates that the original RHEL6 is still CA Master The CRL generation master can be determined by looking at CS.cfg on each CA: # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg ca.crl.MasterCRL.enableCRLUpdates=true Also, when I set up the second new IPA master, do I also make it a CA? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project