> There is no need to have a CA on every ipa server, so a CA is not > installed by default.
What is the downside of having every replica as a CA ? Because in case of big trouble with your master, if your replica is not a CA you can not replace your master from this replica right ? In particular you can not make another replica from your existing replica. On Mon, Dec 28, 2015 at 7:11 PM, Simo Sorce <s...@redhat.com> wrote: > On Mon, 2015-12-28 at 13:10 +0100, Harald Dunkel wrote: > > Hi folks, > > > > how comes that '--setup-ca' is not the default for > > ipa-replica-install? What is best practice wrt creating > > a local ca on the replicas? > > > > Every insightful comment is highly appreciated. > > There is no need to have a CA on every ipa server, so a CA is not > installed by default. > > You can pass --setup-ca at install time or you can use ipa-ca-install > later on. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
