Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
27.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinit option with the ipa-server-install or ipa-replica-install utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.
Procedure
- Check if PKINIT is enabled on the server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow If PKINIT is disabled, you will see the following output:Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can also use the command to find all the servers where PKINIT is enabled if you omit the--server <server_fqdn>parameter. - If you are using IdM without CA:
- On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate:
ipa-cacert-manage install -t CT,C,C ca.pem
# ipa-cacert-manage install -t CT,C,C ca.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients:
ipa-certupdate
# ipa-certupdateCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example:
ipa-cacert-manage list
# ipa-cacert-manage list CN=CA,O=Example Organization The ipa-cacert-manage command was successfulCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:
- It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base. - It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME. - It contains the Object Identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5.
ipa-server-certinstall --kdc kdc.pem kdc.key systemctl restart krb5kdc.service
# ipa-server-certinstall --kdc kdc.pem kdc.key # systemctl restart krb5kdc.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - See your PKINIT status:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- If you are using IdM with a CA certificate, enable PKINIT as follows:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.
Additional Resources
- For more information, see ipa-server-certinstall(1) man page.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}