Recent versions of freeipa support kinit -n. However we need a file that has certificates from all the servers.

We have three servers. Their certificates renew themselves automatically a few hours before expiration. But then we need to concatenate all of them and put them on all clients.

It should be part of the ipa client, or may sssd to retrieve the updated certs.

We depend upon kinit -n as part of the script for doing kinit for users for one-time passwords. I had written a hack that uses a random user with no abilities. Until we ca find a way to distribute certs whenever they change I’m going to return to the hack rather than kinit -n.