Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
27.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the
--no-pkinit option with the ipa-server-install or ipa-replica-install utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level. See Chapter 7, Displaying and Raising the Domain Level for details.
Procedure
- Check if PKINIT is enabled on the server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow If PKINIT is disabled, you will see the following output:Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can also use the command to find all the servers where PKINIT is enabled if you omit the--server <server_fqdn>parameter. - If you are using IdM without CA:
- On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate:
ipa-cacert-manage install -t CT,C,C ca.pem
# ipa-cacert-manage install -t CT,C,C ca.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients:
ipa-certupdate
# ipa-certupdateCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example:
ipa-cacert-manage list
# ipa-cacert-manage list CN=CA,O=Example Organization The ipa-cacert-manage command was successfulCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:
- It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base. - It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME. - It contains the Object Identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5.
ipa-server-certinstall --kdc kdc.pem kdc.key systemctl restart krb5kdc.service
# ipa-server-certinstall --kdc kdc.pem kdc.key # systemctl restart krb5kdc.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - See your PKINIT status:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- If you are using IdM with a CA certificate, enable PKINIT as follows:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.
Additional Resources
- For more information, see ipa-server-certinstall(1) man page.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}