server certinstall: update KDC master entry

After the KDC certificate is installed, add the PKINIT enabled flag to the
KDC master entry.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

ipaserver/install/ipa_server_certinstall.py

@@ -34,7 +34,7 @@ from ipapython.certdb import (get_ca_nickname,
                               verify_kdc_cert_validity)
 from ipapython.dn import DN
 from ipalib import api, errors
-from ipaserver.install import certs, dsinstance, installutils
+from ipaserver.install import certs, dsinstance, installutils, krbinstance
 
 
 class ServerCertInstall(admintool.AdminTool):
@@ -223,6 +223,13 @@ class ServerCertInstall(admintool.AdminTool):
         except RuntimeError as e:
             raise admintool.ScriptError(str(e))
 
+        krb = krbinstance.KrbInstance()
+        krb.init_info(
+            realm_name=api.env.realm,
+            host_name=api.env.host,
+        )
+        krb.pkinit_enable()
+
     def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
         # create a temp nssdb
         with NSSDatabase() as tempnssdb: