I can't find any documentation how we'd handle this in IPA, so before a customer runs into it... What happens if someone sets up multiple IPA servers and only has a CA installed on one of them, and that server goes away forever for some reason (they deleted the replica, horrific failure, etc)? Let's also assume they saved the original CA PKCS#12 file. Is there some mechanism to either stand up a new dogtag instance with this CA's key? Would it be better to stand up a new server as a subordinate of this CA? I'm not entirely sure of the mechanics we'd use for either of these, but its a start. thanks rob