On 09/11/2015 03:29 PM, Rob Crittenden wrote: > Craig White wrote: >> Following instructions from here… >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> >> >> >> RHEL6 server >> >> # rpm -qa ipa-server >> >> ipa-server-3.0.0-42.el6.x86_64 >> >> >> >> RHEL7 server >> >> # rpm -q ipa-server >> >> ipa-server-4.1.0-18.el7_1.4.x86_64 >> >> >> >> I am down to the part where I am trying to make the new RHEL7 server the >> master CA server >> >> >> >> On the RHEL6 system, I >> >> # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20141022190721': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=STT.LOCAL >> >> subject: CN=CA Subsystem,O=STT.LOCAL >> >> expires: 2016-10-11 19:06:36 UTC >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> and the ‘post-save’ command is empty, doesn’t track the page. Should I >> just ignore? I note that the output from this (save for different file >> path on RHEL6) indicates that the original RHEL6 is still CA Master > > There was a bug in certmonger where the pre/post save commands wouldn't > display. I believe this was fixed, see if there is an updated package > available. Otherwise you'd have to poke around in the tracking files in > /var/lib/certmonger.
I think Rob meant this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181022 It should be fixed in certmonger-0.75.14-3.el7. CCing Jan in case he knows about other similar fixes. > >> The CRL generation master can be determined by looking at CS.cfg on each CA: >> >> # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg >> >> ca.crl.MasterCRL.enableCRLUpdates=true >> >> >> >> >> >> Also, when I set up the second new IPA master, do I also make it a CA? > > I'd say yes. You always at at least 2 masters with a CA. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project