Show Table of Contents
27.2. Displaying the Current PKINIT Configuration
IdM provides multiple commands you can use to query the PKINIT configuration in your domain.
To determine the PKINIT status in your domain, use the
ipa pkinit-status command:
$ ipa pkinit-status
Server name: server1.example.com
PKINIT status: enabled
[...output truncated...]
Server name: server2.example.com
PKINIT status: disabled
[...output truncated...]
To determine the PKINIT status on the server where you are logged in, use the
ipa-pkinit-manage status command:
# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
The commands display the PKINIT configuration status as
enabled or disabled:
enabled: PKINIT is configured using a certificate signed by the integrated IdM CA or an external PKINIT certificate. See also Section 27.1, “Default PKINIT Status in Different IdM Versions”.disabled: IdM only uses PKINIT for internal purposes on IdM servers.
To display the IdM servers with active Kerberos key distribution centers (KDCs) that support PKINIT for IdM clients, use the
ipa config-show command on any server:
$ ipa config-show
Maximum username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
[...output truncated...]
IPA masters capable of PKINIT: server1.example.com
[...output truncated...]Additional Resources
- For more details on the command-line tools for reporting the PKINIT status, use the
ipa help pkinitcommand.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.