27.3. Configuring PKINIT in IdM

If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.

Prerequisites

Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.

Procedure

If you are using IdM without a CA, use the ipa-server-certinstall utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:
- It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
- It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.
- It contains the object identifier (OID) for KDC authentication: 1.3.6.1.5.2.3.5.
```
# ipa-server-certinstall --kdc kdc.pem
# systemctl restart krb5kdc.service
```
For details, see the ipa-server-certinstall(1) man page.

Enable PKINIT:

$ ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful

If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.

To verify the new PKINIT status, see Section 27.2, “Displaying the Current PKINIT Configuration”.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Red Hat Training

27.3. Configuring PKINIT in IdM

Prerequisites

Procedure