On 08/13/2014 02:15 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 08/12/2014 11:49 AM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: >>>> The documentation seems to be a little fuzzy on setting up two >>>> CAs, some parts indicate this is a bad idea because the CRLs can >>>> clobber each other, other parts, such as the migration guide from >>>> RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that >>>> is just for a short time. >> >>> It isn't a bad idea to stand up clones, you just need to understand >>> that this is one of the rare places where all masters are not >>> equal. One has to be designated as the CRL generator and one as the >>> CA renewal master. These don't have to be the same but it makes >>> sense to keep them together IMHO. >> >>> The reason to limit CRL generation to one master is the small >>> chance that you could end up with two CRLs with the same serial >>> number but containing different certificates. Remember that a CRL >>> is just a signed snapshot in time of revoked certificates. >> >>> Similarly for renewal it is vastly easier to do it on one host than >>> try to manage the race condition of them trying to renew at the >>> same time. >> >>>> What I am wondering, because I get a little nervous when all my >>>> data for the CA is on one host (backups aside), is whether there >>>> is a value, assuming that having two concurrent dogtag instances >>>> is a bad thing, to replicating the ipaca data in ldap. Just the >>>> data I mean, would it be possible, having just the LDAP data and >>>> whatever certs are in the replica file to basically reconstruct a >>>> CA? >> >>> Right, you want at least two CAs for redundancy. Some dogtag guru >>> could probably stand up a new CA using just the LDAP data and the >>> certs but I can't imagine it would be easy, even for them. >> >>> rob >> >> >> Ok, are there manual steps involved in that or does the --setup-ca on >> the replica just take care of everything. >> >> I certainly hope I am not looking in the wrong place, I just can't >> seem to find anything definitive in the docs. > > --setup-ca does it all for you. Dogtag actually handles the creation of > the replication agreement so we don't do a lot other than to tell it the > remote server and provide the initial certs/keys. > > You can use ipa-csreplica-manage to view/manage CA replication agreements. > > rob >
Also, in case you choose to for example decommission your current CRL generator, you can switch that role to other machine using this HOWTO: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project