[Freeipa-users] Replicating o=ipaca
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Tue Aug 12 19:53:05 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/12/2014 11:49 AM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> The documentation seems to be a little fuzzy on setting up two
>> CAs, some parts indicate this is a bad idea because the CRLs can
>> clobber each other, other parts, such as the migration guide from
>> RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that
>> is just for a short time.
>
> It isn't a bad idea to stand up clones, you just need to understand
> that this is one of the rare places where all masters are not
> equal. One has to be designated as the CRL generator and one as the
> CA renewal master. These don't have to be the same but it makes
> sense to keep them together IMHO.
>
> The reason to limit CRL generation to one master is the small
> chance that you could end up with two CRLs with the same serial
> number but containing different certificates. Remember that a CRL
> is just a signed snapshot in time of revoked certificates.
>
> Similarly for renewal it is vastly easier to do it on one host than
> try to manage the race condition of them trying to renew at the
> same time.
>
>> What I am wondering, because I get a little nervous when all my
>> data for the CA is on one host (backups aside), is whether there
>> is a value, assuming that having two concurrent dogtag instances
>> is a bad thing, to replicating the ipaca data in ldap. Just the
>> data I mean, would it be possible, having just the LDAP data and
>> whatever certs are in the replica file to basically reconstruct a
>> CA?
>
> Right, you want at least two CAs for redundancy. Some dogtag guru
> could probably stand up a new CA using just the LDAP data and the
> certs but I can't imagine it would be easy, even for them.
>
> rob
>
Ok, are there manual steps involved in that or does the --setup-ca on
the replica just take care of everything.
I certainly hope I am not looking in the wrong place, I just can't
seem to find anything definitive in the docs.
Thanks,
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJT6nChAAoJEFg7BmJL2iPOxjoH/i3fOKoJX1jFyMyP8L7KQZIA
c+H94PnvGrsNXUtA7nlfFAvkLj0k1H9lib5vxPwTAF+XGAY4EsxlxFU8e//aIKOw
yjDNqIVOoTa0OAVWNDDOFXyCZrmuvgpTLawk0iGSorWljPYWoQBaZvRmJo6l9MAO
QyKtBIrrhrese9iNTvg3qbR6teIHRTnoQ5QftE0dxvDlrSqc1sj2GppRoVGVqwqv
jETT6sq1IJaiFF3wBBso58vC5vLFqu8xkdF7g8nhRXnMX2oG50WHRtFoYvaGRlNf
pHfojyuZn9XhVmLvqAIi0da6T6iwtR1UvwwkVndLqso59iB6KgSx6GA/pfqJd8k=
=V5A3
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list