alexey safonov via FreeIPA-users wrote: > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was > upgraded many times). It is CA-less setup (Inititally we had CA, but > than it was removed). So now 4 of my servers are saying that PKINIT > is enabled and one server is saying "disabled". > > I tried to re-install replica, but it says CA-less mode can't issue a > certificate, so I tried with kdc-cert-file, but than it says cert is > not valid (where it's definitly works for web and ldap). > > Anything I can do here and enable pkinit on that replica?
A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
