On ke, 06 joulu 2017, Bret Wortman via FreeIPA-users wrote:
Is there an online guide to turning on a CA?

We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we failed to migrate the CA, so we ended up with 3 servers without a CA.

Fast-forward to today, and we lost one, which was our intended CA. So now I have two servers (a and z) which are working just fine but we can't create new SSL certs signed by our IPA CA.

How can I go about promoting one of these to CA? I know I followed online directions the last time, but that was years ago and I've lost the link. Thanks!

It's a private development network, so relying on external CAs isn't an option.
If you are OK with re-issuing all certificates with a completely new CA
that will be installed, you can start with 'ipa-ca-install'.

You need to make sure your old CA master which you lost is disconnected
from the topology first because ipa-ca-install would otherwise attempt
to promote the replica it runs on to CA by obtaining CA certificates
from existing CA (which you don't have anymore).

If ipa-ca-install succeeded, then you'd need to re-issue certificates
for existing IPA services on this host using 'getcert' utility. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IO6BSB6K76E5XRM4IQEFJRTIPK6KKXFX/
for details on how to perform that. The example in that email does not
concern new CA case but re-issuing certificate requests should be done
similarly.

Most likely you'd have to experiment so best to create clone a VM and
isolate it from the rest of topology before doing actual changes.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to