Hi,
We've created a new replica from our FreeIPA infrastructure, with CA
capabilities. Now we want it to be the CA renewal master, as it's written
here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is blocking
us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b
'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int'
'(ipaConfigString=caRenewalMaster)' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree
# filter: (ipaConfigString=caRenewalMaster)
# requesting: dn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on
/etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core)
VERSION: 4.5.4, API_VERSION: 2.228
Thank you