this will let you add outside certs for the services that would be visible to users:
It doesn’t actually turn off the CA functionality, but it becomes largely unused.
I’d actually be interested in a way to completely move no CAless operation if there is
one.
On Oct 3, 2019, at 5:15 AM, Marco V. via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
We've installed a replicated 7Server IPA setup with a internal CA.
Now, due to corporate policies we need to migrate to a no-CA setup (because we need to
use corporate signed Certificates
and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA
replicated IPA to 8Server no-CA replicated IPA.
ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica
with the corporate certificates straight away.
What would be the correct procedure?
I've come up with the following steps:
1. install the new 8Server replicas without CA, (They will get the self-signed
certificates from existing 7Server master (first master))
2. first add corporate root CA to both 7Server and 8Server nodes systems
ca-bundle.trust.crt
3. manually replace HTTP and LDAP certificates with corporated signed certificates
4. remove 7Server replica and first master, so we end up with the no-CA 8Server nodes
only
I'm wondering whether replication will still be functional when performing step 3,
but I can perform additional testing on that.
We are running production with our setup, so we need a 'online' migration
strategy.
Would this be the best approach or do I need another solution? ;-)
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...