Red Hat Summit15.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level.
Procedure
Check if PKINIT is enabled on the server:
# kinit admin Password for admin@IDM.EXAMPLE.COM: # ipa pkinit-status --server=server.idm.example.com 1 server matched ---------------- Server name: server.idm.example.com PKINIT status:enabled ---------------------------- Number of entries returned 1 ----------------------------If PKINIT is disabled, you will see the following output:
# ipa pkinit-status --server server.idm.example.com ----------------- 0 servers matched ----------------- ---------------------------- Number of entries returned 0 ----------------------------You can also use the command to find all the servers where PKINIT is enabled if you omit the
--server <server_fqdn>parameter.If you are using IdM without CA:
On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate:
# ipa-cacert-manage install -t CT,C,C ca.pemTo update all IPA hosts, repeat the
ipa-certupdatecommand on all replicas and clients:# ipa-certupdateCheck if the CA certificate has already been added using the
ipa-cacert-manage listcommand. For example:# ipa-cacert-manage list CN=CA,O=Example Organization The ipa-cacert-manage command was successfulUse the
ipa-server-certinstallutility to install an external KDC certificate. The KDC certificate must meet the following conditions:-
It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base. -
It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME. It contains the Object Identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5.# ipa-server-certinstall --kdc kdc.pem kdc.key # systemctl restart krb5kdc.service
-
It is issued with the common name
See your PKINIT status:
# ipa pkinit-status Server name: server1.example.com PKINIT status: enabled [...output truncated...] Server name: server2.example.com PKINIT status: disabled [...output truncated...]
If you are using IdM with a CA certificate, enable PKINIT as follows:
# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successfulIf you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}