[Freeipa-users] Re: PKINIT questions
Hi, On Sat, Jul 1, 2023 at 3:48 AM alexey safonov wrote: > Got it. thanks. Would it be possible to use for KDS self-signed > certificate, while for dirsrv/http normal certificate signed by public > CA? > > It is possible to have different certificates for dirsrv/httpd/kdc, and even different cert chains. For instance ExternalCA1 > dirsrv, ExternalCA2 > http, External CA3 > KDC. Each one can be installed with ipa-cacert-manage install -t CT,C,C followed by ipa-certupdate and ipa-server-certinstall (with either -d / -w /-k). If I recall correctly, a self-signed KDC certificate will allow IPA to function but won't enable PKINIT authentication (see https://freeipa.org/page/V4/Kerberos_PKINIT). You can generate a CA and have this CA generate your KDC cert by following instructions from https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html flo пн, 19 июн. 2023 г. в 14:46, Florence Blanc-Renaud : > > > > Hi, > > > > > > On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> > >> I'm just surprised than, how other replicas has PKINIT? > > > > > > in your first email you mentioned that the topology used to have a CA. > If a replica was installed at that time then IPA CA issued a KDC > certificate for this replica, with the required extensions. But be aware > that when it reaches it expiration date, it won't be automatically renewed, > and you will have to get a new KDC cert outside of IPA, then install it > using ipa-server-certinstall with the --kdc option. > > > > flo > >> > >> > >> пт, 16 июн. 2023 г. в 23:07, Rob Crittenden : > >> > > >> > alexey safonov via FreeIPA-users wrote: > >> > > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was > >> > > upgraded many times). It is CA-less setup (Inititally we had CA, but > >> > > than it was removed). So now 4 of my servers are saying that PKINIT > >> > > is enabled and one server is saying "disabled". > >> > > > >> > > I tried to re-install replica, but it says CA-less mode can't issue > a > >> > > certificate, so I tried with kdc-cert-file, but than it says cert is > >> > > not valid (where it's definitly works for web and ldap). > >> > > > >> > > Anything I can do here and enable pkinit on that replica? > >> > > >> > A KDC cert has some extensions not typically found in a server > >> > certificate. This page outlines the requirements: > >> > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html > >> > > >> > rob > >> > > >> ___ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: PKINIT questions
Got it. thanks. Would it be possible to use for KDS self-signed certificate, while for dirsrv/http normal certificate signed by public CA? пн, 19 июн. 2023 г. в 14:46, Florence Blanc-Renaud : > > Hi, > > > On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users > wrote: >> >> I'm just surprised than, how other replicas has PKINIT? > > > in your first email you mentioned that the topology used to have a CA. If a > replica was installed at that time then IPA CA issued a KDC certificate for > this replica, with the required extensions. But be aware that when it reaches > it expiration date, it won't be automatically renewed, and you will have to > get a new KDC cert outside of IPA, then install it using > ipa-server-certinstall with the --kdc option. > > flo >> >> >> пт, 16 июн. 2023 г. в 23:07, Rob Crittenden : >> > >> > alexey safonov via FreeIPA-users wrote: >> > > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was >> > > upgraded many times). It is CA-less setup (Inititally we had CA, but >> > > than it was removed). So now 4 of my servers are saying that PKINIT >> > > is enabled and one server is saying "disabled". >> > > >> > > I tried to re-install replica, but it says CA-less mode can't issue a >> > > certificate, so I tried with kdc-cert-file, but than it says cert is >> > > not valid (where it's definitly works for web and ldap). >> > > >> > > Anything I can do here and enable pkinit on that replica? >> > >> > A KDC cert has some extensions not typically found in a server >> > certificate. This page outlines the requirements: >> > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html >> > >> > rob >> > >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: PKINIT questions
Hi, On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm just surprised than, how other replicas has PKINIT? > in your first email you mentioned that the topology used to have a CA. If a replica was installed at that time then IPA CA issued a KDC certificate for this replica, with the required extensions. But be aware that when it reaches it expiration date, it won't be automatically renewed, and you will have to get a new KDC cert outside of IPA, then install it using ipa-server-certinstall with the --kdc option. flo > > пт, 16 июн. 2023 г. в 23:07, Rob Crittenden : > > > > alexey safonov via FreeIPA-users wrote: > > > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was > > > upgraded many times). It is CA-less setup (Inititally we had CA, but > > > than it was removed). So now 4 of my servers are saying that PKINIT > > > is enabled and one server is saying "disabled". > > > > > > I tried to re-install replica, but it says CA-less mode can't issue a > > > certificate, so I tried with kdc-cert-file, but than it says cert is > > > not valid (where it's definitly works for web and ldap). > > > > > > Anything I can do here and enable pkinit on that replica? > > > > A KDC cert has some extensions not typically found in a server > > certificate. This page outlines the requirements: > > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html > > > > rob > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: PKINIT questions
I'm just surprised than, how other replicas has PKINIT? пт, 16 июн. 2023 г. в 23:07, Rob Crittenden : > > alexey safonov via FreeIPA-users wrote: > > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was > > upgraded many times). It is CA-less setup (Inititally we had CA, but > > than it was removed). So now 4 of my servers are saying that PKINIT > > is enabled and one server is saying "disabled". > > > > I tried to re-install replica, but it says CA-less mode can't issue a > > certificate, so I tried with kdc-cert-file, but than it says cert is > > not valid (where it's definitly works for web and ldap). > > > > Anything I can do here and enable pkinit on that replica? > > A KDC cert has some extensions not typically found in a server > certificate. This page outlines the requirements: > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html > > rob > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: PKINIT questions
alexey safonov via FreeIPA-users wrote: > Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was > upgraded many times). It is CA-less setup (Inititally we had CA, but > than it was removed). So now 4 of my servers are saying that PKINIT > is enabled and one server is saying "disabled". > > I tried to re-install replica, but it says CA-less mode can't issue a > certificate, so I tried with kdc-cert-file, but than it says cert is > not valid (where it's definitly works for web and ldap). > > Anything I can do here and enable pkinit on that replica? A KDC cert has some extensions not typically found in a server certificate. This page outlines the requirements: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: pkinit
On Thu, Feb 08, 2018 at 09:43:48PM -0600, Sergei Gerasenko via FreeIPA-users wrote: > Hello, > > I recently upgraded to version 4.5 of FreeIPA. I only upgraded the server, > not the clients. Do my clients now have to use pkinit? Or is it optional? How > can I check what is being used? I’m concerned that if the environment now is > so certificate centric, I will someday be locked out because some certificate > has expired. PKINIT is optional. As along as the users have a password assigned password authentication should always work. HTH bye, Sumit > > Thanks, > Sergei > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org