That begs the question: what settings will be required?

I didn't intend to leave you hanging; I didn't know we were going there
yet. Mainly, the certificate needs to contain a subjectAltName value that
includes the Kerberos principal name for the realm's ticket granting
service, "krbtgt/REALM@REALM".

I'd also suggest including id-pkinit-KPKdc (1.3.6.1.5.2.3.5) as an EKU
value, though that's optional if the subjectAltName is there. The
keyUsage should include digitalSignature.

The more verbose description of the requirements the client places on the
KDC's certificate is laid out in section 3.2.4 of RFC4556.

The KDC needs to trust the certifier of the client certificates, and of course its own. The pkinit_anchors setting in the kdc.conf file can be used for this. Additionally, the KDC needs access to its own certificate and private key; the pkinit_identity setting is used for this. If the certificate and key are stored in files, then the right parts of kdc.conf might include this:

[realms]
  IPAREALM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key
  }

Apparently certutil does not provide a way to set the subjectAltName extension for kerberos principal names needed to generate a certificate for the KDC. This makes it difficult to create a selfsigned cert for it using our selfsign CA.

ticket #46 was actually a duplicate of this one, consolidating (by closing #46 as duplicate)

Pushed patches that handles all case but dogtag.
Closing this bug an opening a new one that deals only with dogtag integration.