Use protocol error for PKINIT cert expiry If we fail to create a cert chain in cms_signeddata_create(), return KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code, rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more consistent with other error clauses in the same function. (cherry picked from commit cd59782cb32b79e4001a86b0fe47af8b6275ef0c) https://github.com/krb5/krb5/commit/d2935ee933907870b1e5c97aab723bc63b47d0ec Author: Greg Hudson Committer: Tom Yu Commit: d2935ee933907870b1e5c97aab723bc63b47d0ec Branch: krb5-1.11 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)