27.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinit
option with the ipa-server-install
or ipa-replica-install
utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.
Procedure
- Check if PKINIT is enabled on the server:
# kinit admin Password for admin@IPA.TEST: # ipa pkinit-status --server=server.idm.example.com ---------------- 1 server matched ---------------- Server name: server.idm.example.com PKINIT status: enabled ---------------------------- Number of entries returned 1 ----------------------------
If PKINIT is disabled, you will see the following output:# ipa pkinit-status --server server.idm.example.com ----------------- 0 servers matched ----------------- ---------------------------- Number of entries returned 0 ----------------------------
You can also use the command to find all the servers where PKINIT is enabled if you omit the--server <server_fqdn>
parameter. - If you are using IdM without CA:
- On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate:
# ipa-cacert-manage install -t CT,C,C ca.pem
- To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients:
# ipa-certupdate
- Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example:
# ipa-cacert-manage list CN=CA,O=Example Organization The ipa-cacert-manage command was successful
- Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:
- It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base
. - It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME
. - It contains the Object Identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5
.
# ipa-server-certinstall --kdc kdc.pem kdc.key # systemctl restart krb5kdc.service
- See your PKINIT status:
# ipa pkinit-status Server name: server1.example.com PKINIT status: enabled [...output truncated...] Server name: server2.example.com PKINIT status: disabled [...output truncated...]
- If you are using IdM with a CA certificate, enable PKINIT as follows:
# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful
If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.
Additional Resources
- For more information, see ipa-server-certinstall(1) man page.