Got it. thanks. Would it be possible to use for KDS self-signed
certificate, while for dirsrv/http normal certificate signed by public
CA?
пн, 19 июн. 2023 г. в 14:46, Florence Blanc-Renaud <flo(a)redhat.com>:
>
> Hi,
>
>
> On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>> I'm just surprised than, how other replicas has PKINIT?
>
>
> in your first email you mentioned that the topology used to have a CA. If a replica
was installed at that time then IPA CA issued a KDC certificate for this replica, with the
required extensions. But be aware that when it reaches it expiration date, it won't be
automatically renewed, and you will have to get a new KDC cert outside of IPA, then
install it using ipa-server-certinstall with the --kdc option.
>
> flo
>>
>>
>> пт, 16 июн. 2023 г. в 23:07, Rob Crittenden <rcritten(a)redhat.com>:
>> >
>> > alexey safonov via FreeIPA-users wrote:
>> > > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup
that was
>> > > upgraded many times). It is CA-less setup (Inititally we had CA, but
>> > > than it was removed). So now 4 of my servers are saying that PKINIT
>> > > is enabled and one server is saying "disabled".
>> > >
>> > > I tried to re-install replica, but it says CA-less mode can't issue
a
>> > > certificate, so I tried with kdc-cert-file, but than it says cert is
>> > > not valid (where it's definitly works for web and ldap).
>> > >
>> > > Anything I can do here and enable pkinit on that replica?
>> >
>> > A KDC cert has some extensions not typically found in a server
>> > certificate. This page outlines the requirements:
>> >
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
>> >
>> > rob
>> >
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue