Charles Hedrick via FreeIPA-users wrote: > the error is > > The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC
A PKINIT certificate needs an EKU extension, https://datatracker.ietf.org/doc/html/rfc4556 When generating the key with OpenSSL you need to include "-extensions kdc_cert" rob > > > ------------------------------------------------------------------------ > *From:* Charles Hedrick via FreeIPA-users > <[email protected]> > *Sent:* Wednesday, June 15, 2022 3:39 PM > *To:* [email protected] > <[email protected]> > *Cc:* Charles Hedrick <[email protected]> > *Subject:* [Freeipa-users] ipa-server-certinstall -k > > ipa-server-certinstall works fine for http and ldap. But I can't get the > -k option to work. > > I've tried cert.pem and privkey.pem with and without chain.pem, as well > as fullchain.pem and privkey.pem (fullchain has both the cert and the > chain). > > The certs were issued by Internet2, which chains up to addtrust. > > kinit -n works fine if I install the pem files manually, so presumably > my files are valid. > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
