Chapter 3. Migrating to IdM on RHEL 8 from FreeIPA on non-RHEL Linux distributions

To migrate a FreeIPA deployment on a non-RHEL Linux distribution to an Identity Management (IdM) deployment on RHEL 8 servers, you must first add a new RHEL 8 IdM Certificate Authority (CA) replica to your existing FreeIPA environment, transfer certificate-related roles to it, and then retire the non-RHEL FreeIPA servers.


Performing an in-place conversion of a non-RHEL FreeIPA server to a RHEL 8 IdM server using the Convert2RHEL tool is not supported.

To perform the migration, follow the same procedure as Migrating your IdM environment from RHEL 7 servers to RHEL 8 servers, with your non-RHEL FreeIPA CA replica acting as the RHEL 7 server:

  1. Configure a RHEL 8 server and add it as an IdM replica to your current FreeIPA environment on the non-RHEL Linux distribution. For details, see Installing the RHEL 8 Replica.
  2. Make the RHEL 8 replica the certificate authority (CA) renewal server. For details, see Assigning the CA renewal server role to the RHEL 8 IdM server.
  3. Stop generating the certificate revocation list (CRL) on the non-RHEL server and redirect CRL requests to the RHEL 8 replica. For details, see Stopping CRL generation on a RHEL 7 IdM CA server.
  4. Start generating the CRL on the RHEL 8 server. For details, see Starting CRL generation on the new RHEL 8 IdM CA server.
  5. Stop and decommission the original non-RHEL FreeIPA CA renewal server. For details, see Stopping and decommissioning the RHEL 7 server.