Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

D.4. Promoting a Replica to a Master CA Server

In a topology including multiple replicas, one server acts as the master CA: it manages the renewal of CA subsystem certificates and generates certificate revocation lists (CRLs). By default, the master CA is the initial server from which replicas were created.
If you plan to take the master CA server offline or decommission it, promote a replica to take the its place as the master CA:

D.4.1. Changing Which Server Handles Certificate Renewal

To determine which server is the current renewal master:
  • On Red Hat Enterprise Linux 7.3 and later, use the ipa config-show | grep "CA renewal master" command:
    $ ipa config-show | grep "CA renewal master"
    IPA CA renewal master:
  • On Red Hat Enterprise Linux 7.2 and earlier, use the ldapsearch utility. In the following example, the renewal master is
    $ ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=example,dc=com' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
    Enter LDAP Password:
    # extended LDIF
    # LDAPv3
    # base <cn=masters,cn=ipa,cn=etc,dc=example,dc=com> with scope subtree
    # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
    # requesting: dn
    # CA,, masters, ipa, etc,
    dn: cn=CA,,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
    # search result
    search: 2
    result: 0 Success
    # numResponses: 2
    # numEntries: 1
To configure another server to handle certificate renewal, use the ipa-csreplica-manage utility:
# ipa-csreplica-manage set-renewal-master
The command also automatically reconfigures the previous CA from renewal master to clone.