Following instructions from here...

RHEL6 server
# rpm -qa ipa-server

RHEL7 server
# rpm -q ipa-server

I am down to the part where I am trying to make the new RHEL7 server the master 
CA server

On the RHEL6 system, I
# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
Number of certificates and requests being tracked: 8.
Request ID '20141022190721':
        status: MONITORING
        stuck: no
        key pair storage: 
cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=STT.LOCAL
        subject: CN=CA Subsystem,O=STT.LOCAL
        expires: 2016-10-11 19:06:36 UTC
        key usage: 
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

and the 'post-save' command is empty, doesn't track the page. Should I just 
ignore? I note that the output from this (save for different file path on 
RHEL6) indicates that the original RHEL6 is still CA Master
The CRL generation master can be determined by looking at CS.cfg on each CA:
# grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg

Also, when I set up the second new IPA master, do I also make it a CA?

Craig White
System Administrator
O 623-201-8179   M 602-377-9752


SkyTouch Technology     4225 E. Windrose Dr.     Phoenix, AZ 85032

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to