[Freeipa-users] PKINIT questions

Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled". I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap). Anything I can do here and enable pkinit on that replica? Alex