Is there an online guide to turning on a CA?
We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we failed to migrate the CA, so we ended up with 3 servers without a CA.
Fast-forward to today, and we lost one, which was our intended CA. So now I have two servers (a and z) which are working just fine but we can't create new SSL certs signed by our IPA CA.
How can I go about promoting one of these to CA? I know I followed online directions the last time, but that was years ago and I've lost the link. Thanks!
It's a private development network, so relying on external CAs isn't an option.
On ke, 06 joulu 2017, Bret Wortman via FreeIPA-users wrote:
Is there an online guide to turning on a CA?
We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we failed to migrate the CA, so we ended up with 3 servers without a CA.
Fast-forward to today, and we lost one, which was our intended CA. So now I have two servers (a and z) which are working just fine but we can't create new SSL certs signed by our IPA CA.
How can I go about promoting one of these to CA? I know I followed online directions the last time, but that was years ago and I've lost the link. Thanks!
It's a private development network, so relying on external CAs isn't an option.
If you are OK with re-issuing all certificates with a completely new CA that will be installed, you can start with 'ipa-ca-install'.
You need to make sure your old CA master which you lost is disconnected from the topology first because ipa-ca-install would otherwise attempt to promote the replica it runs on to CA by obtaining CA certificates from existing CA (which you don't have anymore).
If ipa-ca-install succeeded, then you'd need to re-issue certificates for existing IPA services on this host using 'getcert' utility. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... for details on how to perform that. The example in that email does not concern new CA case but re-issuing certificate requests should be done similarly.
Most likely you'd have to experiment so best to create clone a VM and isolate it from the rest of topology before doing actual changes.
freeipa-users@lists.fedorahosted.org