Actually I executed these commands before you replied on the replica server:
[root@ipa-replica ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@ipa-replica ~]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-replica ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
This means I didn't delete any kdc.key / kdc.crt file.
Now the content in directory looks this:
[root@ipa-replica ~]# ls -l /var/kerberos/krb5kdc/
insgesamt 20
-rw-r--r--. 1 root root 1322 2. Dez 17:42 cacert.pem
-rw-------. 1 root root 22 9. Okt 22:59 kadm5.acl
-rw-------. 1 root root 666 2. Dez 17:21 kdc.conf
-rw-r--r--. 1 root root 1480 2. Dez 17:26 kdc.crt
-rw-------. 1 root root 1704 2. Dez 17:26 kdc.key
The files are different compared to ipa-master.
Should I repeat creating the files on replica server?
THX