On a multi-user machine, it is not convenient to set up PKINIT so that client certificates are obtained from each user's home directory. At best, you can specify pkinit_identities = ENV:envvarname and put an environment variable setting in every user's dotfiles. In 1.11 we introduced a path substitution facility borrowed from Heimdal, which could be applied to this purpose, especially if we added a %{home} token for the home directory. Here is an example of an administrator wanting to use path substitution for pkinit_identities: http://mailman.mit.edu/pipermail/kerberos/2014-June/019922.html