Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) Subject: PKINIT docs only work for one-component client principals X-RT-Original-Encoding: iso-8859-1 Content-Length: 474 The extensions.client file in pkinit.rst creates a single-principal SAN, even if the CLIENT environment variable is set to a value containing slashes. If the resulting certificate is used with a multi-component client principal, the KDC will deny the request with a client mismatch error (without enough detail in the logs; see #7938). The documentation should explain this and should explain how to modify extensions.client to create multi-component principal SANs.