27.3. Configuring PKINIT in IdM

download PDF
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.



  1. Check if PKINIT is enabled on the server:
    # kinit admin
    Password for admin@IPA.TEST:
    # ipa pkinit-status
    1 server matched
    Server name:
    PKINIT status: enabled
    Number of entries returned 1
    If PKINIT is disabled, you will see the following output:
    # ipa pkinit-status --server
    0 servers matched
    Number of entries returned 0
    You can also use the command to find all the servers where PKINIT is enabled if you omit the --server <server_fqdn> parameter.
  2. If you are using IdM without CA:
    1. On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate:
      # ipa-cacert-manage install -t CT,C,C ca.pem
    2. To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients:
      # ipa-certupdate
    3. Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example:
      # ipa-cacert-manage list
      CN=CA,O=Example Organization
      The ipa-cacert-manage command was successful
    4. Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:
      • It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
      • It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.
      • It contains the Object Identifier (OID) for KDC authentication:
      # ipa-server-certinstall --kdc kdc.pem kdc.key
      # systemctl restart krb5kdc.service
    5. See your PKINIT status:
      # ipa pkinit-status
        Server name:
        PKINIT status: enabled
        [...output truncated...]
        Server name:
        PKINIT status: disabled
        [...output truncated...]
  3. If you are using IdM with a CA certificate, enable PKINIT as follows:
    # ipa-pkinit-manage enable
      Configuring Kerberos KDC (krb5kdc)
      [1/1]: installing X509 Certificate for PKINIT
      Done configuring Kerberos KDC (krb5kdc).
      The ipa-pkinit-manage command was successful
    If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.

Additional Resources

  • For more information, see ipa-server-certinstall(1) man page.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.