If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.
If you are using IdM without a CA, use the ipa-server-certinstall utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:
It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.
It contains the object identifier (OID) for KDC authentication: 188.8.131.52.184.108.40.206.