Ticket History #7940: PKINIT docs only work for one-component client principals

The extensions.client file in pkinit.rst creates a single-principal SAN,
even if the CLIENT environment variable is set to a value containing
slashes. If the resulting certificate is used with a multi-component
client principal, the KDC will deny the request with a client mismatch
error (without enough detail in the logs; see #7938).

The documentation should explain this and should explain how to modify
extensions.client to create multi-component principal SANs.

Document multi-component PKINIT client certs

In pkinit.rst, note that the extensions.client file only works for
single-component client principals, and describe how to modify it for
multi-component principals.

https://github.com/krb5/krb5/commit/8abbb9b805e457849e9e414bd2ef610ad9fc4f06
Author: Greg Hudson <ghudson@mit.edu>
Commit: 8abbb9b805e457849e9e414bd2ef610ad9fc4f06
Branch: master
doc/admin/pkinit.rst | 21 ++++++++++++++++++---
1 files changed, 18 insertions(+), 3 deletions(-)

Document multi-component PKINIT client certs

In pkinit.rst, note that the extensions.client file only works for
single-component client principals, and describe how to modify it for
multi-component principals.

(cherry picked from commit 8abbb9b805e457849e9e414bd2ef610ad9fc4f06)

https://github.com/krb5/krb5/commit/55ad97d03c9581cf8c6a868e9151702e53071a62
Author: Greg Hudson <ghudson@mit.edu>
Commit: 55ad97d03c9581cf8c6a868e9151702e53071a62
Branch: krb5-1.15
doc/admin/pkinit.rst | 21 ++++++++++++++++++---
1 files changed, 18 insertions(+), 3 deletions(-)