Chapter 27. Kerberos PKINIT Authentication in IdM

Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) is a preauthentication mechanism for Kerberos. As of Red Hat Enterprise Linux 7.4, the Identity Management (IdM) server includes a mechanism for Kerberos PKINIT authentication. The following sections give an overview of the PKINIT implementation in IdM and describe how to configure PKINIT in IdM.

27.1. Default PKINIT Status in Different IdM Versions

The default PKINIT configuration on your IdM servers depends on the version of IdM in Red Hat Enterprise Linux (RHEL) and the certificate authority (CA) configuration. See Table 27.1, “Default PKINIT configuration in IdM versions”.

Table 27.1. Default PKINIT configuration in IdM versions

RHEL version CA configuration PKINIT configuration
7.3 and earlier Without a CA Local PKINIT: IdM only uses PKINIT for internal purposes on servers.
7.3 and earlier With an integrated CA
IdM attempts to configure PKINIT by using the certificate signed by the integrated IdM CA.
If the attempt fails, IdM configures local PKINIT only.
7.4 and later
Without a CA
No external PKINIT certificate provided to IdM
Local PKINIT: IdM only uses PKINIT for internal purposes on servers.
7.4 and later
Without a CA
External PKINIT certificate provided to IdM
IdM configures PKINIT by using the external Kerberos key distribution center (KDC) certificate and CA certificate.
7.4 and later With an integrated CA IdM configures PKINIT by using the certificate signed by the IdM CA.
At domain level 0, PKINIT is disabled. The default behavior is local PKINIT: IdM only uses PKINIT for internal purposes on servers. See also Chapter 7, Displaying and Raising the Domain Level.