Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 16. Kerberos PKINIT authentication in IdM

Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) is a preauthentication mechanism for Kerberos. The Identity Management (IdM) server includes a mechanism for Kerberos PKINIT authentication.

16.1. Default PKINIT configuration
Copiar o link

The default PKINIT configuration on your IdM servers depends on the certificate authority (CA) configuration.

Expand
Table 16.1. Default PKINIT configuration in IdM
CA configurationPKINIT configuration

Without a CA, no external PKINIT certificate provided

Local PKINIT: IdM only uses PKINIT for internal purposes on servers.

Without a CA, external PKINIT certificate provided to IdM

IdM configures PKINIT by using the external Kerberos key distribution center (KDC) certificate and CA certificate.

With an Integrated CA

IdM configures PKINIT by using the certificate signed by the IdM CA.

16.2. Displaying the current PKINIT configuration
Copiar o link

IdM provides multiple commands you can use to query the PKINIT configuration in your domain.

Procedure

  • To determine the PKINIT status in your domain, use the ipa pkinit-status command: 

    $ ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]
    Copy to Clipboard Toggle word wrap

    The command displays the PKINIT configuration status as enabled or disabled:

    • enabled: PKINIT is configured using a certificate signed by the integrated IdM CA or an external PKINIT certificate.
    • disabled: IdM only uses PKINIT for internal purposes on IdM servers.

  • To list the IdM servers with active Kerberos key distribution centers (KDCs) that support PKINIT for IdM clients, use the ipa config-show command on any server: 

    $ ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  [...output truncated...]
  IPA masters capable of PKINIT: server1.example.com
  [...output truncated...]
    Copy to Clipboard Toggle word wrap

16.3. Configuring PKINIT in IdM
Copiar o link

If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.

Prerequisites

  • Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level.

Procedure

  1. Check if PKINIT is enabled on the server: 

    # kinit admin

Password for admin@IDM.EXAMPLE.COM:
# ipa pkinit-status --server=server.idm.example.com
1 server matched
----------------
Server name: server.idm.example.com
PKINIT status:enabled
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

    If PKINIT is disabled, you will see the following output: 

    # ipa pkinit-status --server server.idm.example.com
-----------------
0 servers matched
-----------------
----------------------------
Number of entries returned 0
----------------------------
    Copy to Clipboard Toggle word wrap

    You can also use the command to find all the servers where PKINIT is enabled if you omit the --server <server_fqdn> parameter.

  2. If you are using IdM without CA:

    1. On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate: 

      # ipa-cacert-manage install -t CT,C,C ca.pem
      Copy to Clipboard Toggle word wrap

    2. To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients: 

      # ipa-certupdate
      Copy to Clipboard Toggle word wrap

    3. Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example: 

      # ipa-cacert-manage list
CN=CA,O=Example Organization
The ipa-cacert-manage command was successful
      Copy to Clipboard Toggle word wrap

    4. Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:

      • It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
      • It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.

      • It contains the Object Identifier (OID) for KDC authentication: 1.3.6.1.5.2.3.5. 

        # ipa-server-certinstall --kdc kdc.pem kdc.key

# systemctl restart krb5kdc.service
        Copy to Clipboard Toggle word wrap

    5. See your PKINIT status: 

      # ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]
      Copy to Clipboard Toggle word wrap

  3. If you are using IdM with a CA certificate, enable PKINIT as follows: 

    # ipa-pkinit-manage enable
  Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
  Done configuring Kerberos KDC (krb5kdc).
  The ipa-pkinit-manage command was successful
    Copy to Clipboard Toggle word wrap

    If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat