Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 24. Decommissioning a server that performs the CA renewal server and CRL publisher roles
Transfer the certificate authority (CA) renewal server and CRL publisher roles to another CA replica before decommissioning the server that currently holds both roles.
In this example, the host server.idm.example.com, which fulfills the CA renewal server and CRL publisher roles, must be decommissioned. This procedure transfers the CA renewal server and CRL publisher roles to the host replica.idm.example.com and removes server.idm.example.com from the IdM environment.
You do not need to configure the same server to perform both CA renewal server and CRL publisher roles.
Prerequisites
- You have the IdM administrator credentials.
- You have the root password for the server you are decommissioning.
- You have at least two CA replicas in your IdM environment.
Procedure
Obtain the IdM administrator credentials:
[user@server ~]$ kinit adminPassword for admin@IDM.EXAMPLE.COM:Optional: If you are not sure which servers perform the CA renewal server and CRL publisher roles:
Display the current CA renewal server. You can run the following command from any IdM server:
[user@server ~]$ ipa config-show | grep 'CA renewal'IPA CA renewal master: server.idm.example.comTest if a host is the current CRL publisher.
[user@server ~]$ ipa-crlgen-manage statusCRL generation: enabled Last CRL update: 2019-10-31 12:00:00 Last CRL Number: 6 The ipa-crlgen-manage command was successfulA CA server that does not generate the CRL displays
CRL generation: disabled.[user@replica ~]$ ipa-crlgen-manage statusCRL generation: disabled The ipa-crlgen-manage command was successfulContinue entering this command on CA servers until you find the CRL publisher server.
Display all other CA servers you can promote to fulfill these roles. This environment has two CA servers.
[user@server ~]$ ipa server-role-find --role 'CA server'---------------------- 2 server roles matched ---------------------- Server name: server.idm.example.com Role name: CA server Role status: enabled Server name: replica.idm.example.com Role name: CA server Role status: enabled ---------------------------- Number of entries returned 2 ----------------------------
Set
replica.idm.example.comas the CA renewal server.[user@server ~]$ ipa config-mod --ca-renewal-master-server replica.idm.example.comOn
server.idm.example.com:Disable the certificate updater task:
[root@server ~]# pki-server ca-config-set ca.certStatusUpdateInterval 0Restart IdM services:
[root@server ~]# ipactl restart
On
replica.idm.example.com:Enable the certificate updater task:
[root@replica ~]# pki-server ca-config-unset ca.certStatusUpdateIntervalRestart IdM services:
[root@replica ~]# ipactl restart
On
server.idm.example.com, stop generating the CRL.[user@server ~]$ ipa-crlgen-manage disableStopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable. The ipa-crlgen-manage command was successfulOn
replica.idm.example.com, start generating the CRL.[user@replica ~]$ ipa-crlgen-manage enableStopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd Forcing CRL update CRL generation enabled on the local host. Please make sure to have only a single CRL generation master. The ipa-crlgen-manage command was successfulStop IdM services on
server.idm.example.com:[root@server ~]# ipactl stopOn
replica.idm.example.com, deleteserver.idm.example.comfrom the IdM environment.[user@replica ~]$ ipa server-del server.idm.example.comOn
server.idm.example.com, use theipa-server-install --uninstallcommand as the root account:[root@server ~]# ipa-server-install --uninstall ... Are you sure you want to continue with the uninstall procedure? [no]: yes
Verification
Display the current CA renewal server.
[user@replica ~]$ ipa config-show | grep 'CA renewal'IPA CA renewal master: replica.idm.example.comConfirm that the
replica.idm.example.comhost is generating the CRL.[user@replica ~]$ ipa-crlgen-manage statusCRL generation: enabled Last CRL update: 2019-10-31 12:10:00 Last CRL Number: 7 The ipa-crlgen-manage command was successful
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}