Hi folks,
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
describes how to move the CA renewal server from RHEL 7 to a new host with RHEL 8, apparently for using a self-signed root CA. Is this the same procedure for using an external root CA? Do I have to create a CSR for the new host first, to be signed by the external CA, and then import it?
Sorry for asking, but I have the impression this detail is missing in RedHat's documentation. Every insightful comment is highly appreciated.
Harri
Hi,
On Thu, Jul 6, 2023 at 9:55 AM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi folks,
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
describes how to move the CA renewal server from RHEL 7 to a new host with RHEL 8, apparently for using a self-signed root CA. Is this the same procedure for using an external root CA? Do I have to create a CSR for the new host first, to be signed by the external CA, and then import it?
If you have an externally-signed IPA CA and want to install a RHEL8 replica, the replica installation procedure does not involve the external CA. If you install the CA role on the replica (either with ipa-replica-install --setup-ca or ipa-replica-install followed by ipa-ca-install), the replica will get the same private key and IPA CA cert during the installation (and will have the same cert chain external root CA
IPA CA).
When you decommission the RHEL7 server, you need to switch the CA renewal role to the RHEL8 server (the CA renewal role is set on single server, even if the CA role can be set on multiple servers) and the procedure does not care whether the IPA CA was self-signed or externally-signed. Do not forget to also transfer the CRL generation role to the RHEL8 server.
Hope this clarifies, flo
Sorry for asking, but I have the impression this detail is missing in RedHat's documentation. Every insightful comment is highly appreciated.
Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org