alexey safonov via FreeIPA-users wrote:
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup
that was
upgraded many times). It is CA-less setup (Inititally we had CA, but
than it was removed). So now 4 of my servers are saying that PKINIT
is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a
certificate, so I tried with kdc-cert-file, but than it says cert is
not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server
certificate. This page outlines the requirements:
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
rob