I think you should read this carefully, but it should work:
https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/html/linux_ domain_identity_ authentication_and_policy_ guide/server-roles#server- roles-promote-to-ca The whole CA data is replicated among all ldap servers, so it should be fixable.