27.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinitoption with the
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.
- If you are using IdM without a CA, use the ipa-server-certinstall utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:
- It is issued with the common name
- It includes the Kerberos principal
- It contains the object identifier (OID) for KDC authentication:
# ipa-server-certinstall --kdc kdc.pem # systemctl restart krb5kdc.serviceFor details, see the ipa-server-certinstall(1) man page.
- Enable PKINIT:
$ ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successfulIf you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.
- To verify the new PKINIT status, see Section 27.2, “Displaying the Current PKINIT Configuration”.