Hi,
On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm just surprised than, how other replicas has PKINIT? > in your first email you mentioned that the topology used to have a CA. If a replica was installed at that time then IPA CA issued a KDC certificate for this replica, with the required extensions. But be aware that when it reaches it expiration date, it won't be automatically renewed, and you will have to get a new KDC cert outside of IPA, then install it using ipa-server-certinstall with the --kdc option. flo > > пт, 16 июн. 2023 г. в 23:07, Rob Crittenden <rcrit...@redhat.com>: > > > > alexey safonov via FreeIPA-users wrote: > > > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was > > > upgraded many times). It is CA-less setup (Inititally we had CA, but > > > than it was removed). So now 4 of my servers are saying that PKINIT > > > is enabled and one server is saying "disabled". > > > > > > I tried to re-install replica, but it says CA-less mode can't issue a > > > certificate, so I tried with kdc-cert-file, but than it says cert is > > > not valid (where it's definitly works for web and ldap). > > > > > > Anything I can do here and enable pkinit on that replica? > > > > A KDC cert has some extensions not typically found in a server > > certificate. This page outlines the requirements: > > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html > > > > rob > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
