Bret Wortman via FreeIPA-users wrote:
If this is the correct search, then no. It's gone.
# ldapsearch -D 'cn=directory manager' -b 'o=ipaca' -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
It wouldn't matter much anyway because the private keys aren't stored in
LDAP. What you'd need is the cacert.p12 generated by the original
installation.
The dogtag team has some instructions for standing up a new CA with just
the certs but the IPA team hasn't had time to evaluate them at all,
http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_Certificate...
This seems to assume you have an existing, working server as well.
But basically if you don't have the original CA keys anywhere you are
completely dead in the water. If you have them there is a remote chance
you could stand up a replacement CA but:
- we can't help you do it because we've never done it
- we don't know what sort of dragons would be lurking (revocations would
blow up, for example, because the certs aren't there because you don't
have o=ipaca).
rob
On 02/21/2018 11:45 AM, Jochen Hein wrote:
> Bret Wortman via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> writes:
>
>> I may be going about this in the hardest way possible, so let me stop
>> and roll everything back to my root need:
>>
>> I have two IPA servers which manage our infrastructure. We used to
>> have three, but a catastrophic failure on one led to its total
>> loss. And it was our CA.
>>
>> So now we have no CA -- is there a way to promote an existing system
>> to take over? I realize it may well mean distributing a new root CA
>> cert to everyone, but that seems less painful now than trying to set
>> up a brand new cluster of servers and try to port our data over to
>> them...
> I'd start looking for the ca data in LDAP. If you still have it, you
> might be lucky - if not there's no way to recreate the data (beside from
> a backup of the failed server - which I guess doesn't exist any longer).
>
> Do you have a tree o=ipaca in your LDAP?
>
> Jochen
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org