Hi On Thu, Jun 22, 2023 at 5:27 PM Алексей Иванов via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Greetings, > > I'm trying to configure my replica IPA servers to support PKINIT. > > [root@office-ipa-1 ~]# ipa-pkinit-manage enable > Configuring Kerberos KDC (krb5kdc) > [1/1]: installing X509 Certificate for PKINIT > PKINIT certificate request failed: Certificate issuance failed > (CA_UNREACHABLE: Server at https://office-ipa-1.<domain>/ipa/json failed > request, will retry: 4301 (Certificate operation cannot be completed: Key > Parameters 4096,8192 Not Matched).) > Failed to configure PKINIT > Full PKINIT configuration did not succeed > The setup will only install bits essential to the server functionality > You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' > Done configuring Kerberos KDC (krb5kdc). > The ipa-pkinit-manage command was successful > [root@office-ipa-1 ~]# > > I've manually installed the correct KDC cert with ipa-server-certinstall > -k, but it seems I'm missing something out. > > I know it is extremely confusing but if you are using an externally-signed KDC certificate, you don't need to execute ipa-pkinit-manage enable. After adding the certificate with ipa-server-certinstall -k, you can see that the server is configured for pkinit with the following command: # ipa pkinit-status ---------------- 1 server matched ---------------- Server name: server.ipa.test PKINIT status: enabled ---------------------------- Number of entries returned 1 ---------------------------- Even though ipa-pkinit-manage status returns something different: # ipa-pkinit-manage status PKINIT is disabled The ipa-pkinit-manage command was successful So in your case, execute ipa-server-certinstall -k and don't launch ipa-pkinit-manage enable as this would try to issue a KDC cert signed by IPA CA. flo Error regarding Key Parameters 4096,8192 Not Matched is expected, as we've > changed all our certificate templates to support 4096 key and above. But I > don't understand why ipa-pkinit-manage enable command tries to issue a > new certificate and does not utilise the existing one? > > Regards, > Alex Ivanov. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
