Auerbach, Steven via FreeIPA-users wrote:
> Can we add the CA mastery or CA replica to an IPA v4 server that is a
> replica and later promote to CA mastery? We have a IPA v3 server that
> has been the only CA master for several years. We have a recent IPAv4
> replica that was set up without DNS or CA or NTP at the point of
> creation, so only the LDAP is in the replication agreement. We are
> trying to retire the IPA v3 servers and have a new replication pair in
> IPA v4 without breaking the realm and all our clients and users
> records. We keep running into walls and roadblocks as we try to build a
> procedure we can execute in an off-hours maintenance window.
Run ipa-ca-install to add a CA to a master that does not have the role
configured.
rob