Skip Menu |

Subject: pkinit_identities should support path substitution
On a multi-user machine, it is not convenient to set up PKINIT so that
client certificates are obtained from each user's home directory. At
best, you can specify pkinit_identities = ENV:envvarname and put an
environment variable setting in every user's dotfiles.

In 1.11 we introduced a path substitution facility borrowed from Heimdal,
which could be applied to this purpose, especially if we added a %{home}
token for the home directory.

Here is an example of an administrator wanting to use path substitution
for pkinit_identities: