Product SiteDocumentation Site

18.8. Moving CRL Generation from the Master (Original) Server to Another Replica

The first FreeIPA server installed owns the master CA in the PKI hierarchy. The master CA is the authoritative CA; it has the root CA signing key and generates CRLs which are distributed among the other servers and replicas in the topology. All subsequent replica databases are cloned (or copied) directly from that master database as part of running ipa-replica-install.

NOTE

The only reason to replace the master server is if the master server is being taken offline. There has to be a root CA which can issue CRLs and ultimately validate certificate checks.

18.8.1. About the Master Server, Replicas, and Generating CRLs

As explained in Section 1.3.1, “About FreeIPA Servers and Replicas”, all servers and replicas work together to share data. This arrangement is the server topology.
Servers — which are created with ipa-server-install — can host DNS or CA services. These are the original services. When a replica is created (with ipa-replica-install), it is based on the configuration of an existing server. A replica, likewise, can host DNS and CA services, but this is not required.
After they are created, servers and replicas are equal peers in the server topology. They are all read-write data masters and replicate information to each other through multi-master replication. Servers and replicas which host a CA are also equal peers in the topology. They can all issue certificates and keys to FreeIPA clients, and they all replicate information amongst themselves.
The only difference between a server and a replica is which FreeIPA server issues the CRL.
When the first server is installed, it is configured to issue CRLs. In its CA configuration file (/var/lib/pki-ca/conf/CS.cfg), it has CRL generation enabled:
ca.crl.issuingPointId.enableCRLCache=true
ca.crl.issuingPointId.enableCRLUpdates=true
ca.certStatusUpdateInterval=600
ca.listenToCloneModifications=false
All replicas point to that master CA as the source for CRL information and disable the CRL settings:
master.ca.agent.host=hostname
master.ca.agent.port=port number
ca.certStatusUpdateInterval=0
ca.crl.issuingPointId.enableCRLUpdates=false
Promoting a replica to a master server changes its configuration and enables it to issue CRLs and function as the root CA.

18.8.2. Promoting a Replica

  1. If the replica was originally installed without a CA, then create a CA. This requires the replica file that was used to create the replica. (A new one can be created from the original FreeIPA server, if need be.)
    [root@ipareplica ~]# ipa-ca-install -p DMpassword -w adminpassword /var/lib/ipa/replica-info-ipareplica.example.com.gpg
  2. On the replica server, stop the CA server.
    service pki-cad stop
  3. Open the CA's configuration directory.
    cd /var/lib/pki-ca/conf
  4. Edit the CS.cfg file to configure the replica's CA as a master.
    1. Delete each line which begins with the ca.crl. prefix.
    2. Copy each line beginning with the ca.crl. prefix from the CA CS.cfg file on the master server into the replica server's CA CS.cfg file.
    3. Enable control of the database maintenance thread; the default value for a master CA is 600.
      ca.certStatusUpdateInterval=600
    4. Enable monitoring database replication:
      ca.listenToCloneModifications=true
    5. Enable maintenance of the CRL cache:
      ca.crl.IssuingPointId.enableCRLCache=true
    6. Enable CRL generation:
      ca.crl.IssuingPointId.enableCRLUpdates=true
    7. Disable the redirect settings for CRL generation requests:
      master.ca.agent.host=hostname
      master.ca.agent.port=port number
  5. Start the CA server.
    service pki-cad start