Currently the CRL generation is only done by the master and there can be only a single master in the whole system. If the master becomes unavailable, another replica will have to be promoted to become a new master.

Currently the process has to be done manually on both master and replica's configuration files. On IPA this involves updating:

• CRL cache configuration (i.e. ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates in CS.cfg)
• CRL generation/delegation configuration (i.e. RewriteRule in ipa-pki-proxy.conf)

See: http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Proposed solution: The above file-based configuration should be moved into database so it's no longer necessary to access each server directly. Each server will have a corresponding configuration in the database. The migration can happen during server startup time. Replica promotion will be done by changing the configuration in the database for the old master and for the new replica. The servers should listen for changes on its own configuration (e.g. using persistent search). When a change is detected, the server should enable/disable the cache or generate CRL/delegate CRL generation according to the new configuration in the database. There should be an interface (e.g. CLI) to manage the configuration in the database. The installer should add the initial entries in the database. The old configuration parameters in CS.cfg and ipa-pki-proxy.conf should be removed with an upgrade script.

An alternate solution is discussed in ticket #1259.

Proposed milestone: 10.3