alexey safonov via FreeIPA-users wrote:
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
rob