GH via FreeIPA-users wrote:
Had to copy the ASCII into the CS.cfg on the "secondary"
manually. Now everything shows that it's happy from my untrained eye. Is there a way
to test that the CS.cfg will now copy over correctly or that certs will be replicated
correctly? Appreciate all of the help so far to get me to this point.
A clean bill of health from ipa-healthcheck is a decent start. It isn't
perfect but it covers a lot of the common issues.
I'll add that renewal across all servers isn't an immediate thing.
certmonger knows when the current one(s) will expire and by default will
start looking for new ones with 28 days left and go by halves after
that. So even if you manage to renew a CA cert on one side the others
aren't going to bother looking for it for quite some time.
If you want to check on replication you can always issue a test cert and
ensure it appears on all the other servers.
rob