Show Table of Contents
27.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinit
option with the ipa-server-install
or ipa-replica-install
utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.
Procedure
- If you are using IdM without a CA, use the
ipa-server-certinstall
utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:- It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base
. - It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME
. - It contains the object identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5
.
#
ipa-server-certinstall --kdc kdc.pem
#systemctl restart krb5kdc.service
For details, see the ipa-server-certinstall(1) man page. - Enable PKINIT:
$
ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successfulIf you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA. - To verify the new PKINIT status, see Section 27.2, “Displaying the Current PKINIT Configuration”.