27.2. Displaying the Current PKINIT Configuration

IdM provides multiple commands you can use to query the PKINIT configuration in your domain.

To determine the PKINIT status in your domain, use the ipa pkinit-status command:

$ ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]

To determine the PKINIT status on the server where you are logged in, use the ipa-pkinit-manage status command:

# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful

The commands display the PKINIT configuration status as enabled or disabled:

enabled: PKINIT is configured using a certificate signed by the integrated IdM CA or an external PKINIT certificate. See also Section 27.1, “Default PKINIT Status in Different IdM Versions”.
disabled: IdM only uses PKINIT for internal purposes on IdM servers.

To display the IdM servers with active Kerberos key distribution centers (KDCs) that support PKINIT for IdM clients, use the ipa config-show command on any server:

$ ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  [...output truncated...]
  IPA masters capable of PKINIT: server1.example.com
  [...output truncated...]

Additional Resources

For more details on the command-line tools for reporting the PKINIT status, use the ipa help pkinit command.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

27.2. Displaying the Current PKINIT Configuration

Additional Resources