Absent Member.
Absent Member.
875 views

Certificate Authority CA Role question

Well I haven't asked a question on here in quite some time.

Does anyone know if I can export my CA role and cert from first primary servwer ZEN internal CA store and import on another primary for redundant internal zen CA servers?

Not sure if this is supported or even works in case one bites the dust.

Thanks in advance 🙂
Labels (2)
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

mark7508;2349159 wrote:
Well I haven't asked a question on here in quite some time.

Does anyone know if I can export my CA role and cert from first primary servwer ZEN internal CA store and import on another primary for redundant internal zen CA servers?

Not sure if this is supported or even works in case one bites the dust.

Thanks in advance 🙂


No, you can't have "redundant".
But the CA server is only needed when Generating Certs such as when building a new Primary or configuring an Auth Satellite.
I've seen folks lose their CA server and not know it for a year or more :))
Simply make sure you have followed the steps for backup up your CA and if you ever lose your CA server permanently, you can use those files to install the CA service on another server.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Absent Member.
Absent Member.

CRAIGDWILSON;2349164 wrote:
No, you can't have "redundant".
But the CA server is only needed when Generating Certs such as when building a new Primary or configuring an Auth Satellite.
I've seen folks lose their CA server and not know it for a year or more :))
Simply make sure you have followed the steps for backup up your CA and if you ever lose your CA server permanently, you can use those files to install the CA service on another server.


Thanks I was mainly asking since I was replacing the main Primary with one of our others. But already got it going. Thanks for the reply
0 Likes
Micro Focus Expert
Micro Focus Expert

mark7508;2349167 wrote:
Thanks I was mainly asking since I was replacing the main Primary with one of our others. But already got it going. Thanks for the reply


When moving the CA, keep in mind that all certs will still say they were issued by the original server.
As Bizzarre as that may seem, it is normal and make no attempt to fix this.

The reason is that the "CA" was created with a "Name" that just happened to match the server's name.
So the issuer is not the ServerOS Name nor the ZCM Object's name but the Name of the CA which all happen to match initially.
When you move the "CA" to a new server, the CA's name cannot change w/o breaking stuff.

Just giving this warning because folks are always trying to "Fix" this and getting themselves in trouble.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.