Use protocol error for PKINIT cert expiry If we fail to create a cert chain in cms_signeddata_create(), return KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code, rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more consistent with other error clauses in the same function. https://github.com/krb5/krb5/commit/cd59782cb32b79e4001a86b0fe47af8b6275ef0c Author: Greg Hudson Commit: cd59782cb32b79e4001a86b0fe47af8b6275ef0c Branch: master src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)