Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 15. Kerberos PKINIT authentication in IdM

Use Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) to authenticate to Identity Management (IdM) using certificates instead of passwords. PKINIT provides stronger authentication by using public key cryptography for Kerberos preauthentication.

15.1. Default PKINIT configuration
Link kopieren

Understand how the default PKINIT configuration in Identity Management (IdM) varies based on your certificate authority setup. PKINIT configuration determines how servers and clients authenticate using public key cryptography.

Expand
Table 15.1. Default PKINIT configuration in IdM
CA configurationPKINIT configuration

Without a CA, no external PKINIT certificate provided

Local PKINIT: IdM only uses PKINIT for internal purposes on servers.

Without a CA, external PKINIT certificate provided to IdM

IdM configures PKINIT by using the external Kerberos key distribution center (KDC) certificate and CA certificate.

With an Integrated CA

IdM configures PKINIT by using the certificate signed by the IdM CA.

15.2. Displaying the current PKINIT configuration
Link kopieren

Display PKINIT configuration settings in Identity Management (IdM) to verify that certificate-based authentication is properly configured. Checking PKINIT status helps troubleshoot authentication issues and validate security policies.

Procedure

  • To determine the PKINIT status in your domain, use the ipa pkinit-status command: 

    $ ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]

    The command displays the PKINIT configuration status as enabled or disabled:

    • enabled: PKINIT is configured using a certificate signed by the integrated IdM CA or an external PKINIT certificate.
    • disabled: IdM only uses PKINIT for internal purposes on IdM servers.

  • To list the IdM servers with active Kerberos key distribution centers (KDCs) that support PKINIT for IdM clients, use the ipa config-show command on any server: 

    $ ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  [...output truncated...]
  IPA masters capable of PKINIT: server1.example.com
  [...output truncated...]

15.3. Configuring PKINIT in IdM
Link kopieren

Enable PKINIT on Identity Management (IdM) servers to allow certificate-based Kerberos authentication. PKINIT strengthens security by using public key cryptography for initial authentication instead of passwords alone.

Prerequisites

  • Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level.

Procedure

  1. Check if PKINIT is enabled on the server: 

    # kinit admin

Password for admin@IDM.EXAMPLE.COM:
# ipa pkinit-status --server=server.idm.example.com
1 server matched
----------------
Server name: server.idm.example.com
PKINIT status:enabled
----------------------------
Number of entries returned 1
----------------------------

    If PKINIT is disabled, you will see the following output: 

    # ipa pkinit-status --server server.idm.example.com
-----------------
0 servers matched
-----------------
----------------------------
Number of entries returned 0
----------------------------

    You can also use the command to find all the servers where PKINIT is enabled if you omit the --server <server_fqdn> parameter.

  2. If you are using IdM without CA:

    1. On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate: 

      # ipa-cacert-manage install -t CT,C,C ca.pem

    2. To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients: 

      # ipa-certupdate

    3. Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example: 

      # ipa-cacert-manage list
CN=CA,O=Example Organization
The ipa-cacert-manage command was successful

    4. Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:

      • It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
      • It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.

      • It contains the Object Identifier (OID) for KDC authentication: 1.3.6.1.5.2.3.5. 

        # ipa-server-certinstall --kdc kdc.pem kdc.key

# systemctl restart krb5kdc.service

    5. See your PKINIT status: 

      # ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]

  3. If you are using IdM with a CA certificate, enable PKINIT as follows: 

    # ipa-pkinit-manage enable
  Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
  Done configuring Kerberos KDC (krb5kdc).
  The ipa-pkinit-manage command was successful

    If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben