Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

27.3. Configuring PKINIT in IdM

If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.



  1. If you are using IdM without a CA, use the ipa-server-certinstall utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:
    • It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
    • It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.
    • It contains the object identifier (OID) for KDC authentication:
    # ipa-server-certinstall --kdc kdc.pem
    # systemctl restart krb5kdc.service
    For details, see the ipa-server-certinstall(1) man page.
  2. Enable PKINIT:
    $ ipa-pkinit-manage enable
    Configuring Kerberos KDC (krb5kdc)
      [1/1]: installing X509 Certificate for PKINIT
    Done configuring Kerberos KDC (krb5kdc).
    The ipa-pkinit-manage command was successful
    If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.