Show Table of Contents
27.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinit option with the ipa-server-install or ipa-replica-install utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.
Procedure
- If you are using IdM without a CA, use the
ipa-server-certinstallutility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:- It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base. - It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME. - It contains the object identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5.
#
ipa-server-certinstall --kdc kdc.pem#systemctl restart krb5kdc.serviceFor details, see the ipa-server-certinstall(1) man page. - Enable PKINIT:
$
ipa-pkinit-manage enableConfiguring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successfulIf you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA. - To verify the new PKINIT status, see Section 27.2, “Displaying the Current PKINIT Configuration”.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.