If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinit option with the
If you are using IdM without a CA, use the
ipa-server-certinstall utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:
It is issued with the common name
It includes the Kerberos principal
It contains the object identifier (OID) for KDC authentication:
ipa-server-certinstall --kdc kdc.pem
systemctl restart krb5kdc.service
For details, see the ipa-server-certinstall(1) man page.
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.