[Freeipa-users] Re: Online migration from internal CA to no-CA setup

On Oct 3, 2019, at 5:15 AM, Marco V. via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; wrote: Hi, We've installed a replicated 7Server IPA setup with a internal CA. Now, due to corporate policies we need to migrate to a no-CA setup (because we need to use corporate signed Certificates and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA replicated IPA to 8Server no-CA replicated IPA. ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica with the corporate certificates straight away. What would be the correct procedure? I've come up with the following steps: 1. install the new 8Server replicas without CA, (They will get the self-signed certificates from existing 7Server master (first master)) 2. first add corporate root CA to both 7Server and 8Server nodes systems ca-bundle.trust.crt 3. manually replace HTTP and LDAP certificates with corporated signed certificates 4. remove 7Server replica and first master, so we end up with the no-CA 8Server nodes only I'm wondering whether replication will still be functional when performing step 3, but I can perform additional testing on that. We are running production with our setup, so we need a 'online' migration strategy. Would this be the best approach or do I need another solution? ;-) _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...