Following instructions from here...
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
RHEL6 server
# rpm -qa ipa-server
ipa-server-3.0.0-42.el6.x86_64
RHEL7 server
# rpm -q ipa-server
ipa-server-4.1.0-18.el7_1.4.x86_64
I am down to the part where I am trying to make the new RHEL7 server the master
CA server
On the RHEL6 system, I
# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
Number of certificates and requests being tracked: 8.
Request ID '20141022190721':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=STT.LOCAL
subject: CN=CA Subsystem,O=STT.LOCAL
expires: 2016-10-11 19:06:36 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
and the 'post-save' command is empty, doesn't track the page. Should I just
ignore? I note that the output from this (save for different file path on
RHEL6) indicates that the original RHEL6 is still CA Master
The CRL generation master can be determined by looking at CS.cfg on each CA:
# grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
ca.crl.MasterCRL.enableCRLUpdates=true
Also, when I set up the second new IPA master, do I also make it a CA?
Craig White
System Administrator
O 623-201-8179 M 602-377-9752
[cid:[email protected]]
SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
