Show Table of Contents
D.4. Promoting a Replica to a Master CA Server
In a topology including multiple replicas, one server acts as the master CA: it manages the renewal of CA subsystem certificates and generates certificate revocation lists (CRLs). By default, the master CA is the initial server from which replicas were created.
If you plan to take the master CA server offline or decommission it, promote a replica to take the its place as the master CA:
- Make sure the replica is configured to handle CA subsystem certificate renewal. See Section D.4.1, “Changing Which Server Handles Certificate Renewal”.
- Configure the replica to generate CRLs. See Section 6.5.2.2, “Changing Which Server Generates CRLs”.
D.4.1. Changing Which Server Handles Certificate Renewal
To determine which server is the current renewal master:
- On Red Hat Enterprise Linux 7.3 and later, use the
ipa config-show | grep "CA renewal master"command:$ ipa config-show | grep "CA renewal master" IPA CA renewal master: server.example.com
- On Red Hat Enterprise Linux 7.2 and earlier, use the
ldapsearchutility. In the following example, the renewal master isserver.example.com:$ ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=example,dc=com' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=example,dc=com> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster)) # requesting: dn # # CA, server.example.com, masters, ipa, etc, example.com dn: cn=CA,cn=server.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
To configure another server to handle certificate renewal, use the
ipa-csreplica-manage utility:
# ipa-csreplica-manage set-renewal-master
The command also automatically reconfigures the previous CA from renewal master to clone.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.