Hi folks,
how comes that '--setup-ca' is not the default for
ipa-replica-install? What is best practice wrt creating
a local ca on the replicas?
Every insightful comment is highly appreciated.
Best seasons greetings
Harri
--
Manage your subscription for the Freeipa-users mailing list:
> There is no need to have a CA on every ipa server, so a CA is not
> installed by default.
What is the downside of having every replica as a CA ?
Because in case of big trouble with your master, if your replica is not a
CA you can not replace your master from this replica right ?
In particular
On Mon, 2015-12-28 at 13:10 +0100, Harald Dunkel wrote:
> Hi folks,
>
> how comes that '--setup-ca' is not the default for
> ipa-replica-install? What is best practice wrt creating
> a local ca on the replicas?
>
> Every insightful comment is highly appreciated.
There is no need to have a CA on
On Mon, 2015-12-28 at 19:18 +0100, Karl Forner wrote:
> > There is no need to have a CA on every ipa server, so a CA is not
> > installed by default.
>
> What is the downside of having every replica as a CA ?
A CA is relatively heavyweight as the dogtag code brings up a whole java
VM, also it