Issue

I have to retire the IPA server that was functioning as my CA Master. Per the instructions from Red Hat (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/server-roles) Section 6.5.2 "Promoting a Replica to a Master CA Server", I changed the CA Renewal Master, disabled CRL generation on the original Master, and configured the new CA Master to generate CRLs. After restarting services, the MasterCRL.bin file does not exist as expected.

Steps to Reproduce

1. Install new IPA Server as a replica with CA role installed.
2. Set CA Renewal Master to new IPA Server via webUI.
3. Disable CRL Generation on original CA Master.
4. Enable CRL Generation on new CA Master.

Actual behavior

CRL is not generated.

Expected behavior

MasterCRL.bin file should be generated immediately on new CA Master.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.6.4-10.el7.centos.6.x86_64
ipa-client-4.6.4-10.el7.centos.6.x86_64
389-ds-base-1.3.8.4-25.1.el7_6.x86_64
pki-ca-10.5.9-13.el7_6.noarch
krb5-server-1.15.1-37.el7_6.x86_64

Additional info:

I'm hoping that this is just impatience on my part and that the CRL will be generated per the default 4-hour interval; however, I can't help but think that upon being promoted to Master, a CA server should check to see if the MasterCRL.bin file exists locally, and if not, trigger an automatic CRL generation so that the promotion to Master CA Server can be validated more quickly. If what I'm experiencing is the expected behavior, then perhaps this could end up as an enhancement...