Red Hat SummitChapter 18. Decommissioning a server that performs the CA renewal server and CRL publisher roles
You might have one server performing both the Certificate Authority (CA) renewal server role and the Certificate Revocation List (CRL) publisher role. If you need to take this server offline or decommission it, select and configure another CA server to perform these roles.
In this example, the host server.idm.example.com, which fulfills the CA renewal server and CRL publisher roles, must be decommissioned. This procedure transfers the CA renewal server and CRL publisher roles to the host replica.idm.example.com and removes server.idm.example.com from the IdM environment.
You do not need to configure the same server to perform both CA renewal server and CRL publisher roles.
Prerequisites
- You have the IdM administrator credentials.
- You have the root password for the server you are decommissioning.
- You have at least two CA replicas in your IdM environment.
Procedure
Obtain the IdM administrator credentials:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow kinit admin
[user@server ~]$ kinit admin Password for admin@IDM.EXAMPLE.COM:Optional: If you are not sure which servers perform the CA renewal server and CRL publisher roles:
Display the current CA renewal server. You can run the following command from any IdM server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa config-show | grep 'CA renewal'
[user@server ~]$ ipa config-show | grep 'CA renewal' IPA CA renewal master: server.idm.example.comTest if a host is the current CRL publisher.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-crlgen-manage status
[user@server ~]$ ipa-crlgen-manage status CRL generation: enabled Last CRL update: 2019-10-31 12:00:00 Last CRL Number: 6 The ipa-crlgen-manage command was successfulA CA server that does not generate the CRL displays
CRL generation: disabled.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-crlgen-manage status
[user@replica ~]$ ipa-crlgen-manage status CRL generation: disabled The ipa-crlgen-manage command was successfulContinue entering this command on CA servers until you find the CRL publisher server.
Display all other CA servers you can promote to fulfill these roles. This environment has two CA servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa server-role-find --role 'CA server'
[user@server ~]$ ipa server-role-find --role 'CA server' ---------------------- 2 server roles matched ---------------------- Server name: server.idm.example.com Role name: CA server Role status: enabled Server name: replica.idm.example.com Role name: CA server Role status: enabled ---------------------------- Number of entries returned 2 ----------------------------
Set
replica.idm.example.comas the CA renewal server.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa config-mod --ca-renewal-master-server replica.idm.example.com
[user@server ~]$ ipa config-mod --ca-renewal-master-server replica.idm.example.comOn
server.idm.example.com:Disable the certificate updater task:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow pki-server ca-config-set ca.certStatusUpdateInterval 0
[root@server ~]# pki-server ca-config-set ca.certStatusUpdateInterval 0Restart IdM services:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipactl restart
[root@server ~]# ipactl restart
On
replica.idm.example.com:Enable the certificate updater task:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow pki-server ca-config-unset ca.certStatusUpdateInterval
[root@replica ~]# pki-server ca-config-unset ca.certStatusUpdateIntervalRestart IdM services:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipactl restart
[root@replica ~]# ipactl restart
On
server.idm.example.com, stop generating the CRL.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-crlgen-manage disable
[user@server ~]$ ipa-crlgen-manage disable Stopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable. The ipa-crlgen-manage command was successfulOn
replica.idm.example.com, start generating the CRL.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-crlgen-manage enable
[user@replica ~]$ ipa-crlgen-manage enable Stopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd Forcing CRL update CRL generation enabled on the local host. Please make sure to have only a single CRL generation master. The ipa-crlgen-manage command was successfulStop IdM services on
server.idm.example.com:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipactl stop
[root@server ~]# ipactl stopOn
replica.idm.example.com, deleteserver.idm.example.comfrom the IdM environment.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa server-del server.idm.example.com
[user@replica ~]$ ipa server-del server.idm.example.comOn
server.idm.example.com, use theipa-server-install --uninstallcommand as the root account:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-server-install --uninstall
[root@server ~]# ipa-server-install --uninstall ... Are you sure you want to continue with the uninstall procedure? [no]: yes
Verification
Display the current CA renewal server.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa config-show | grep 'CA renewal'
[user@replica ~]$ ipa config-show | grep 'CA renewal' IPA CA renewal master: replica.idm.example.comConfirm that the
replica.idm.example.comhost is generating the CRL.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-crlgen-manage status
[user@replica ~]$ ipa-crlgen-manage status CRL generation: enabled Last CRL update: 2019-10-31 12:10:00 Last CRL Number: 7 The ipa-crlgen-manage command was successful
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}