Hi,
We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's written here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is blocking us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn #
# search result search: 2 result: 0 Success
# numResponses: 1
Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on /etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228
Thank you