From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 18 Apr 2025 16:23:10 +0000 (-0400)
Subject: Clarify X509_user_identity documentation
X-Git-Tag: krb5-1.22-beta1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd8b2a6a380b6b10ea1a3f90e8a1c8f775f5fc2c;p=thirdparty%2Fkrb5.git

Clarify X509_user_identity documentation

Document that PKINIT identity specifier values must not contain
colons.

ticket: 9154
---

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index e80e02ebab..e0c7a63309 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1052,8 +1052,10 @@ information for PKINIT is as follows:
     a particular smard card reader or token if there is more than one
     available.  ``certid=`` and/or ``certlabel=`` may be specified to
     force the selection of a particular certificate on the device.
-    See the **pkinit_cert_match** configuration option for more ways
-    to select a particular certificate to use for PKINIT.
+    Specifier values must not contain colon characters, as colons are
+    always treated as separators.  See the **pkinit_cert_match**
+    configuration option for more ways to select a particular
+    certificate to use for PKINIT.
 
 **ENV:**\ *envvar*
     *envvar* specifies the name of an environment variable which has