Chapter 27. Kerberos PKINIT Authentication in IdM
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) is a preauthentication mechanism for Kerberos. As of Red Hat Enterprise Linux 7.4, the Identity Management (IdM) server includes a mechanism for Kerberos PKINIT authentication. The following sections give an overview of the PKINIT implementation in IdM and describe how to configure PKINIT in IdM.
27.1. Default PKINIT Status in Different IdM Versions
The default PKINIT configuration on your IdM servers depends on the version of IdM in Red Hat Enterprise Linux (RHEL) and the certificate authority (CA) configuration. See Table 27.1, “Default PKINIT configuration in IdM versions”.
| RHEL version | CA configuration | PKINIT configuration |
|---|---|---|
| 7.3 and earlier | Without a CA | Local PKINIT: IdM only uses PKINIT for internal purposes on servers. |
| 7.3 and earlier | With an integrated CA |
IdM attempts to configure PKINIT by using the certificate signed by the integrated IdM CA.
If the attempt fails, IdM configures local PKINIT only.
|
| 7.4 and later |
Without a CA
No external PKINIT certificate provided to IdM
| Local PKINIT: IdM only uses PKINIT for internal purposes on servers. |
| 7.4 and later |
Without a CA
External PKINIT certificate provided to IdM
| IdM configures PKINIT by using the external Kerberos key distribution center (KDC) certificate and CA certificate. |
| 7.4 and later | With an integrated CA | IdM configures PKINIT by using the certificate signed by the IdM CA. |
At domain level 0, PKINIT is disabled. The default behavior is local PKINIT: IdM only uses PKINIT for internal purposes on servers. See also Chapter 7, Displaying and Raising the Domain Level.
