Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 24. Decommissioning a server that performs the CA renewal server and CRL publisher roles
You might have one server performing both the Certificate Authority (CA) renewal server role and the Certificate Revocation List (CRL) publisher role. If you need to take this server offline or decommission it, select and configure another CA server to perform these roles.
In this example, the host server.idm.example.com, which fulfills the CA renewal server and CRL publisher roles, must be decommissioned. This procedure transfers the CA renewal server and CRL publisher roles to the host replica.idm.example.com and removes server.idm.example.com from the IdM environment.
You do not need to configure the same server to perform both CA renewal server and CRL publisher roles.
Prerequisites
- You have the IdM administrator credentials.
- You have the root password for the server you are decommissioning.
- You have at least two CA replicas in your IdM environment.
Procedure
Obtain the IdM administrator credentials:
kinit admin
[user@server ~]$ kinit admin Password for admin@IDM.EXAMPLE.COM:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: If you are not sure which servers perform the CA renewal server and CRL publisher roles:
Display the current CA renewal server. You can run the following command from any IdM server:
ipa config-show | grep 'CA renewal'
[user@server ~]$ ipa config-show | grep 'CA renewal' IPA CA renewal master: server.idm.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow Test if a host is the current CRL publisher.
ipa-crlgen-manage status
[user@server ~]$ ipa-crlgen-manage status CRL generation: enabled Last CRL update: 2019-10-31 12:00:00 Last CRL Number: 6 The ipa-crlgen-manage command was successfulCopy to Clipboard Copied! Toggle word wrap Toggle overflow A CA server that does not generate the CRL displays
CRL generation: disabled.ipa-crlgen-manage status
[user@replica ~]$ ipa-crlgen-manage status CRL generation: disabled The ipa-crlgen-manage command was successfulCopy to Clipboard Copied! Toggle word wrap Toggle overflow Continue entering this command on CA servers until you find the CRL publisher server.
Display all other CA servers you can promote to fulfill these roles. This environment has two CA servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Set
replica.idm.example.comas the CA renewal server.ipa config-mod --ca-renewal-master-server replica.idm.example.com
[user@server ~]$ ipa config-mod --ca-renewal-master-server replica.idm.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow On
server.idm.example.com:Disable the certificate updater task:
pki-server ca-config-set ca.certStatusUpdateInterval 0
[root@server ~]# pki-server ca-config-set ca.certStatusUpdateInterval 0Copy to Clipboard Copied! Toggle word wrap Toggle overflow Restart IdM services:
ipactl restart
[root@server ~]# ipactl restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
On
replica.idm.example.com:Enable the certificate updater task:
pki-server ca-config-unset ca.certStatusUpdateInterval
[root@replica ~]# pki-server ca-config-unset ca.certStatusUpdateIntervalCopy to Clipboard Copied! Toggle word wrap Toggle overflow Restart IdM services:
ipactl restart
[root@replica ~]# ipactl restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
On
server.idm.example.com, stop generating the CRL.Copy to Clipboard Copied! Toggle word wrap Toggle overflow On
replica.idm.example.com, start generating the CRL.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Stop IdM services on
server.idm.example.com:ipactl stop
[root@server ~]# ipactl stopCopy to Clipboard Copied! Toggle word wrap Toggle overflow On
replica.idm.example.com, deleteserver.idm.example.comfrom the IdM environment.ipa server-del server.idm.example.com
[user@replica ~]$ ipa server-del server.idm.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow On
server.idm.example.com, use theipa-server-install --uninstallcommand as the root account:ipa-server-install --uninstall
[root@server ~]# ipa-server-install --uninstall ... Are you sure you want to continue with the uninstall procedure? [no]: yesCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Display the current CA renewal server.
ipa config-show | grep 'CA renewal'
[user@replica ~]$ ipa config-show | grep 'CA renewal' IPA CA renewal master: replica.idm.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm that the
replica.idm.example.comhost is generating the CRL.ipa-crlgen-manage status
[user@replica ~]$ ipa-crlgen-manage status CRL generation: enabled Last CRL update: 2019-10-31 12:10:00 Last CRL Number: 7 The ipa-crlgen-manage command was successfulCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}