Hi folks,
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/migrating_to_identity_management_on_rhel_8/index#assigning-the-ca-renewal-server-role-to-the-rhel-8-idm-server_migrate-7-to-8
describes how to move the CA renewal server from RHEL 7 to a new
host with RHEL 8, apparently for using a self-signed root CA. Is
this the same procedure for using an external root CA? Do I have
to create a CSR for the new host first, to be signed by the
external CA, and then import it?
If you have an externally-signed IPA CA and want to install a RHEL8 replica, the replica installation procedure does not involve the external CA. If you install the CA role on the replica (either with ipa-replica-install --setup-ca or ipa-replica-install followed by ipa-ca-install), the replica will get the same private key and IPA CA cert during the installation (and will have the same cert chain external root CA > IPA CA).
When you decommission the RHEL7 server, you need to switch the CA renewal role to the RHEL8 server (the CA renewal role is set on single server, even if the CA role can be set on multiple servers) and the procedure does not care whether the IPA CA was self-signed or externally-signed.
Do not forget to also transfer the CRL generation role to the RHEL8 server.
Hope this clarifies,
flo
Sorry for asking, but I have the impression this detail is missing
in RedHat's documentation. Every insightful comment is highly
appreciated.
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue