diff --git a/lib/srv/db/common/kerberos/kinit/kinit.go b/lib/srv/db/common/kerberos/kinit/kinit.go
index c7454a6b36585..cc741ab437776 100644
--- a/lib/srv/db/common/kerberos/kinit/kinit.go
+++ b/lib/srv/db/common/kerberos/kinit/kinit.go
@@ -178,7 +178,6 @@ func (d *dbCertGetter) getCertificate(ctx context.Context, username string) (*ge
 		TTL:                time.Minute * 10,
 		Domain:             d.domain,
 		ClusterName:        clusterName.GetClusterName(),
-		OmitCDP:            true,
 		Username:           username,
 		ActiveDirectorySID: sid,
 	}
diff --git a/lib/srv/db/common/kerberos/kinit/kinit_test.go b/lib/srv/db/common/kerberos/kinit/kinit_test.go
index ab526efcac8c5..bbb94c18e3475 100644
--- a/lib/srv/db/common/kerberos/kinit/kinit_test.go
+++ b/lib/srv/db/common/kerberos/kinit/kinit_test.go
@@ -21,14 +21,17 @@ package kinit
 import (
 	"context"
 	_ "embed"
+	"log/slog"
 	"os"
 	"testing"
 
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
 
+	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/fixtures"
+	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/winpki"
 )
 
@@ -162,3 +165,36 @@ func TestKRBConfString(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, expectedConfString, krb5Config)
 }
+
+type mockConnector struct {
+}
+
+func (m *mockConnector) GetActiveDirectorySID(ctx context.Context, username string) (sid string, err error) {
+	return "S-1-5-21-2191801808-3167526388-2669316733-1104", nil
+}
+
+func TestGetCertificate(t *testing.T) {
+	auth := &mockAuthClient{
+		generateDatabaseCert: func(ctx context.Context, request *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error) {
+			require.NotEmpty(t, request.CRLDomain)
+
+			csr, err := tlsca.ParseCertificateRequestPEM(request.CSR)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+			require.Equal(t, "CN=alice", csr.Subject.String())
+			require.Len(t, csr.Extensions, 3)
+			return generateDatabaseCert(ctx, request)
+		},
+	}
+
+	getter := &dbCertGetter{
+		logger:        slog.New(slog.DiscardHandler),
+		auth:          auth,
+		domain:        "example.com",
+		ldapConnector: &mockConnector{},
+	}
+
+	_, err := getter.getCertificate(context.Background(), "alice")
+	require.NoError(t, err)
+}
diff --git a/lib/srv/db/common/kerberos/kinit/ldap_test.go b/lib/srv/db/common/kerberos/kinit/ldap_test.go
index 4c42a9f6231ad..39702d343ef8f 100644
--- a/lib/srv/db/common/kerberos/kinit/ldap_test.go
+++ b/lib/srv/db/common/kerberos/kinit/ldap_test.go
@@ -90,6 +90,8 @@ func (m *mockAuthClient) GetClusterName(ctx context.Context) (types.ClusterName,
 func TestTLSConfigForLDAP(t *testing.T) {
 	auth := &mockAuthClient{
 		generateDatabaseCert: func(ctx context.Context, request *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error) {
+			require.NotEmpty(t, request.CRLDomain)
+
 			csr, err := tlsca.ParseCertificateRequestPEM(request.CSR)
 			if err != nil {
 				return nil, trace.Wrap(err)