Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 40. Migrating to IdM on RHEL 7 from FreeIPA on non-RHEL Linux distributions

To migrate a FreeIPA deployment on a non-RHEL Linux distribution to an Identity Management (IdM) deployment on RHEL 7 servers, you must first add a new RHEL 7 IdM Certificate Authority (CA) replica to your existing FreeIPA environment, transfer certificate-related roles to it, and then retire the non-RHEL FreeIPA servers.
Performing an in-place conversion of a non-RHEL FreeIPA server to a RHEL 7 IdM server using the Convert2RHEL tool is not supported.


  • You have determined the domain level of your non-RHEL FreeIPA certificate authority (CA) renewal server. For more information, see Displaying the Current Domain Level.
  • You have installed RHEL 7.9 on the system that you want to become the new CA renewal server.


To perform the migration, follow the same procedure as Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7, with your non-RHEL FreeIPA CA server acting as the RHEL 6 server:
  1. If the original non-RHEL CA renewal server is running FreeIPA version 3.1 or older, Update the Identity Management Schema. To display the installed FreeIPA version, use the ipa --version command.
  2. Configure a RHEL 7 server and add it as an IdM replica to your current FreeIPA environment on the non-RHEL Linux distribution. If the domain level for your domain is 0, see Installing the RHEL 7 Replica . If the domain level is 1, follow the steps described in Creating the Replica: Introduction.
  3. Make the RHEL 7 replica the CA renewal server, stop generating the certificate revocation list (CRL) on the non-RHEL server and redirect CRL requests to the RHEL 7 replica. For details, see Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server.
  4. Stop the original non-RHEL FreeIPA CA renewal server to force domain discovery to the new RHEL 7 server. For details, see Stop the Red Hat Enterprise Linux 6 Server.
  5. Install new replicas on other RHEL 7 systems and decommission the non-RHEL server. For details, see Next steps after migrating the master CA server.
    Red Hat recommends having IdM replicas of only one major RHEL version in your topology. For this reason, do not delay decommissioning the old server.

Additional resources