Craig White wrote: > Following instructions from here > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > > > > RHEL6 server > > # rpm -qa ipa-server > > ipa-server-3.0.0-42.el6.x86_64 > > > > RHEL7 server > > # rpm -q ipa-server > > ipa-server-4.1.0-18.el7_1.4.x86_64 > > > > I am down to the part where I am trying to make the new RHEL7 server the > master CA server > > > > On the RHEL6 system, I > > # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" > > Number of certificates and requests being tracked: 8. > > Request ID '20141022190721': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=STT.LOCAL > > subject: CN=CA Subsystem,O=STT.LOCAL > > expires: 2016-10-11 19:06:36 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > and the post-save command is empty, doesnt track the page. Should I > just ignore? I note that the output from this (save for different file > path on RHEL6) indicates that the original RHEL6 is still CA Master
There was a bug in certmonger where the pre/post save commands wouldn't display. I believe this was fixed, see if there is an updated package available. Otherwise you'd have to poke around in the tracking files in /var/lib/certmonger. > The CRL generation master can be determined by looking at CS.cfg on each CA: > > # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg > > ca.crl.MasterCRL.enableCRLUpdates=true > > > > > > Also, when I set up the second new IPA master, do I also make it a CA? I'd say yes. You always at at least 2 masters with a CA. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project