27.3. Configuring PKINIT in IdM

If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.



  1. If you are using IdM without a CA, use the ipa-server-certinstall utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:
    • It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
    • It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.
    • It contains the object identifier (OID) for KDC authentication:
    # ipa-server-certinstall --kdc kdc.pem
    # systemctl restart krb5kdc.service
    For details, see the ipa-server-certinstall(1) man page.
  2. Enable PKINIT:
    $ ipa-pkinit-manage enable
    Configuring Kerberos KDC (krb5kdc)
      [1/1]: installing X509 Certificate for PKINIT
    Done configuring Kerberos KDC (krb5kdc).
    The ipa-pkinit-manage command was successful
    If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.