From bd8b2a6a380b6b10ea1a3f90e8a1c8f775f5fc2c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 18 Apr 2025 12:23:10 -0400
Subject: [PATCH] Clarify X509_user_identity documentation

Document that PKINIT identity specifier values must not contain
colons.

ticket: 9154
---
 doc/admin/conf_files/krb5_conf.rst | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index e80e02ebab..e0c7a63309 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1052,8 +1052,10 @@ information for PKINIT is as follows:
     a particular smard card reader or token if there is more than one
     available.  ``certid=`` and/or ``certlabel=`` may be specified to
     force the selection of a particular certificate on the device.
-    See the **pkinit_cert_match** configuration option for more ways
-    to select a particular certificate to use for PKINIT.
+    Specifier values must not contain colon characters, as colons are
+    always treated as separators.  See the **pkinit_cert_match**
+    configuration option for more ways to select a particular
+    certificate to use for PKINIT.
 
 **ENV:**\ *envvar*
     *envvar* specifies the name of an environment variable which has
-- 
2.47.2