Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
Alex
alexey safonov via FreeIPA-users wrote:
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
rob
I'm just surprised than, how other replicas has PKINIT?
пт, 16 июн. 2023 г. в 23:07, Rob Crittenden rcritten@redhat.com:
alexey safonov via FreeIPA-users wrote:
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
rob
Hi,
On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I'm just surprised than, how other replicas has PKINIT?
in your first email you mentioned that the topology used to have a CA. If a replica was installed at that time then IPA CA issued a KDC certificate for this replica, with the required extensions. But be aware that when it reaches it expiration date, it won't be automatically renewed, and you will have to get a new KDC cert outside of IPA, then install it using ipa-server-certinstall with the --kdc option.
flo
пт, 16 июн. 2023 г. в 23:07, Rob Crittenden rcritten@redhat.com:
alexey safonov via FreeIPA-users wrote:
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Got it. thanks. Would it be possible to use for KDS self-signed certificate, while for dirsrv/http normal certificate signed by public CA?
пн, 19 июн. 2023 г. в 14:46, Florence Blanc-Renaud flo@redhat.com:
Hi,
On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I'm just surprised than, how other replicas has PKINIT?
in your first email you mentioned that the topology used to have a CA. If a replica was installed at that time then IPA CA issued a KDC certificate for this replica, with the required extensions. But be aware that when it reaches it expiration date, it won't be automatically renewed, and you will have to get a new KDC cert outside of IPA, then install it using ipa-server-certinstall with the --kdc option.
flo
пт, 16 июн. 2023 г. в 23:07, Rob Crittenden rcritten@redhat.com:
alexey safonov via FreeIPA-users wrote:
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
On Sat, Jul 1, 2023 at 3:48 AM alexey safonov alexeysaff@gmail.com wrote:
Got it. thanks. Would it be possible to use for KDS self-signed certificate, while for dirsrv/http normal certificate signed by public CA?
It is possible to have different certificates for dirsrv/httpd/kdc, and
even different cert chains. For instance ExternalCA1 > dirsrv, ExternalCA2
http, External CA3 > KDC. Each one can be installed with
ipa-cacert-manage install -t CT,C,C <external CA> followed by ipa-certupdate and ipa-server-certinstall (with either -d / -w /-k).
If I recall correctly, a self-signed KDC certificate will allow IPA to function but won't enable PKINIT authentication (see https://freeipa.org/page/V4/Kerberos_PKINIT). You can generate a CA and have this CA generate your KDC cert by following instructions from https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
flo
пн, 19 июн. 2023 г. в 14:46, Florence Blanc-Renaud flo@redhat.com:
Hi,
On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
I'm just surprised than, how other replicas has PKINIT?
in your first email you mentioned that the topology used to have a CA.
If a replica was installed at that time then IPA CA issued a KDC certificate for this replica, with the required extensions. But be aware that when it reaches it expiration date, it won't be automatically renewed, and you will have to get a new KDC cert outside of IPA, then install it using ipa-server-certinstall with the --kdc option.
flo
пт, 16 июн. 2023 г. в 23:07, Rob Crittenden rcritten@redhat.com:
alexey safonov via FreeIPA-users wrote:
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue
a
certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
freeipa-users@lists.fedorahosted.org