Well now that sounds a daunting endeavor. It would definitely be a last resort type
situation for sure. Thank you both for laying it out and I definitely didn't expect
it to be possible at all so at least its something.
I think the big problem we're having is the fact that we can't seem to create new
CA replicas against our old IPA 3.0 CA. I've upgraded the servers to the latest and
greatest multiple times over the last year (which caused its own set of problems which are
in a different thread) and each time it fails with a different error. I can generally
find the same problem in a bugzilla but even after patching to the recommended version it
still fails with a new error.
The latest being:
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML:
status=1
[14/Jun/2017:06:49:45][http-bio-8443-exec-3]: Unable to update security domain: 2
java.io.IOException: Unable to update security domain: 2