Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

Fri, 11 Sep 2015 06:38:29 -0700 

Craig White wrote:
> Following instructions from here…
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
> 
>  
> 
> RHEL6 server
> 
> # rpm -qa ipa-server
> 
> ipa-server-3.0.0-42.el6.x86_64
> 
>  
> 
> RHEL7 server
> 
> # rpm -q ipa-server
> 
> ipa-server-4.1.0-18.el7_1.4.x86_64
> 
>  
> 
> I am down to the part where I am trying to make the new RHEL7 server the
> master CA server
> 
>  
> 
> On the RHEL6 system, I
> 
> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
> 
> Number of certificates and requests being tracked: 8.
> 
> Request ID '20141022190721':
> 
>         status: MONITORING
> 
>         stuck: no
> 
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
> 
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> 
>         CA: dogtag-ipa-renew-agent
> 
>         issuer: CN=Certificate Authority,O=STT.LOCAL
> 
>         subject: CN=CA Subsystem,O=STT.LOCAL
> 
>         expires: 2016-10-11 19:06:36 UTC
> 
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> 
>         eku: id-kp-serverAuth,id-kp-clientAuth
> 
>         pre-save command:
> 
>         post-save command:
> 
>         track: yes
> 
>         auto-renew: yes
> 
>  
> 
> and the ‘post-save’ command is empty, doesn’t track the page. Should I
> just ignore? I note that the output from this (save for different file
> path on RHEL6) indicates that the original RHEL6 is still CA Master

There was a bug in certmonger where the pre/post save commands wouldn't
display. I believe this was fixed, see if there is an updated package
available. Otherwise you'd have to poke around in the tracking files in
/var/lib/certmonger.

> The CRL generation master can be determined by looking at CS.cfg on each CA:
> 
> # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
> 
> ca.crl.MasterCRL.enableCRLUpdates=true
> 
>  
> 
>  
> 
> Also, when I set up the second new IPA master, do I also make it a CA?

I'd say yes. You always at at least 2 masters with a CA.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to