Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

27.3. Configuring PKINIT in IdM

If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.

Prerequisites

Procedure

  1. Check if PKINIT is enabled on the server: 
    # kinit admin
Password for admin@IPA.TEST:
# ipa pkinit-status --server=server.idm.example.com
----------------
1 server matched
----------------
Server name: server.idm.example.com
PKINIT status: enabled
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap
    If PKINIT is disabled, you will see the following output: 
    # ipa pkinit-status --server server.idm.example.com
-----------------
0 servers matched
-----------------
----------------------------
Number of entries returned 0
----------------------------
    Copy to Clipboard Toggle word wrap
    You can also use the command to find all the servers where PKINIT is enabled if you omit the --server <server_fqdn> parameter.
  2. If you are using IdM without CA:
    1. On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate: 
      # ipa-cacert-manage install -t CT,C,C ca.pem
      Copy to Clipboard Toggle word wrap
    2. To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients: 
      # ipa-certupdate
      Copy to Clipboard Toggle word wrap
    3. Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example: 
      # ipa-cacert-manage list
CN=CA,O=Example Organization
The ipa-cacert-manage command was successful
      Copy to Clipboard Toggle word wrap
    4. Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:
      • It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
      • It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.
      • It contains the Object Identifier (OID) for KDC authentication: 1.3.6.1.5.2.3.5. 
      # ipa-server-certinstall --kdc kdc.pem kdc.key
# systemctl restart krb5kdc.service
      Copy to Clipboard Toggle word wrap
    5. See your PKINIT status: 
      # ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]
      Copy to Clipboard Toggle word wrap
  3. If you are using IdM with a CA certificate, enable PKINIT as follows: 
    # ipa-pkinit-manage enable
  Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
  Done configuring Kerberos KDC (krb5kdc).
  The ipa-pkinit-manage command was successful
    Copy to Clipboard Toggle word wrap
    If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.

Additional Resources

  • For more information, see ipa-server-certinstall(1) man page.
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben