Greetings, I'm trying to configure my replica IPA servers to support PKINIT.
[root@office-ipa-1 ~]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://office-ipa-1.<domain>/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Key Parameters 4096,8192 Not Matched).) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful [root@office-ipa-1 ~]# I've manually installed the correct KDC cert with ipa-server-certinstall -k, but it seems I'm missing something out. Error regarding Key Parameters 4096,8192 Not Matched is expected, as we've changed all our certificate templates to support 4096 key and above. But I don't understand why ipa-pkinit-manage enable command tries to issue a new certificate and does not utilise the existing one? Regards, Alex Ivanov.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
