Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
27.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinit
option with the ipa-server-install
or ipa-replica-install
utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.
Procedure
- If you are using IdM without a CA, use the ipa-server-certinstall utility to install an external Kerberos key distribution center (KDC) certificate. The KDC certificate must meet the following conditions:
- It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base
. - It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME
. - It contains the object identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5
.
# ipa-server-certinstall --kdc kdc.pem # systemctl restart krb5kdc.service
For details, see the ipa-server-certinstall(1) man page. - Enable PKINIT:
$ ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful
If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA. - To verify the new PKINIT status, see Section 27.2, “Displaying the Current PKINIT Configuration”.