In appdefaults:
  allow_pkinit	   - Enable or disable the module.  Default is "yes".
  allow_pkinit_server - Enable or disable the module for KDCs.  Default is
			to take the value of the "allow_pkinit" option.
			Overrides "allow_pkinit".
  allow_pkinit_client - Enable or disable the module for clients.  Default is
			to take the value of the "allow_pkinit" option.
			Overrides "allow_pkinit".
  trusted_guid     - GUID extension value which the client will trust if the
		     KDC's cert has no subjectAltName value which can be used.
		     No default.
  ocsp_checking    - Enable or disable OCSP checking.  Default is "yes" for
		     KDCs, "no" for clients.
  is_hw		   - Assume that a PKINIT client also satisfies requires_hwauth
		     requirements.  Default is "no".
  try_dh	   - Enable DH instead of enckey-based kinit.  Default is "yes".
  minimum_dh_prime_size - Minimum acceptable size for DH primes.  Default 1024.
  preferred_group  - Preferred Oakley group when using DH.  The default
		     moduli included with Heimdal correspond to 14.  Default
		     is "2".  Valid values include 1, 2, 5, 14, 15, 16.
  mappings_file    - Name of a principal-name-to-subject-DN mapping file.  No
		     default setting.
  trust_pkinit_san - Whether or not to trust PKINIT-style subjectAltName values
		     in certificates.  Default is "yes".
  trust_upn_san    - Whether or not to trust userPrincipalName subjectAltName
		     values in certificates.  Default is "yes".
  client_database  - Location of the certificate/key/token database used by the
		     client.  Default is set at compile-time.
  client_certificate - Location of the certificate used by the client.  No
 		       default.
  client_private_key - Location of the private key used by the client.  No
  		       default.
  client_certificate_pool - Location of the directory which holds intermediate
			    certificates for use by the client.  No default.
  client_ca_certificate - Location of the client's CA's certificate.  No
 			  default.
  client_ca_certificate_pool - Location of the directory which holds
			       certificates of CAs which are trusted by the
			       client.  No default.
  server_database  - Location of the certificate/key/token database used by the
		     KDC.  Default is set at compile-time.
  server_certificate - Location of the certificate used by the KDC.  No
 		       default.
  server_private_key - Location of the private key used by the KDC.  No
 		       default.
  server_certificate_pool - Location of the directory which holds intermediate
			    certificates for use by the KDC.  No default.
  server_ca_certificate - Location of the KDC's CA's certificate.  No default.
  server_ca_certificate_pool - Location of the directory which holds
			       certificates of CAs which are trusted by the
			       KDC.  No default.
  debug_level	   - Logging level.  Default is "0".
  debug_syslog	   - Whether or not to send debug messages to syslog.  Default
		     is "yes".
  debug_stdout	  - Whether or not to send debug messages to stdout if stdout
  		     is a terminal device.  Default is "no".
  debug_stderr	   - Whether or not to send debug messages to stderr if stderr
  		     is a terminal device.  Default is "no".
  trusted_servers  - DNS names which, if found in a KDC's certificate, will
		     make it acceptable as an alternate to having a matching
		     principal name or GUID.

[appdefaults]
 allow_pkinit = no
 pkinit = {
   BOSTON.REDHAT.COM = {
     trusted_guid = 9a:37:dd:c9:ad:15:34:4e:9d:36:b4:9f:fd:91:b8:74
   }
 }

At the command line (for example, kinit -X):
  certificate_file - Location of the certificate file.
  private_key_file - Location of the private key file.
  certificate_pool - Location of the directory which holds intermediate
		     certificates.
  ca_certificate_file - Location of the CA's certificate.
  ca_certificate_pool - Location of the directory which holds CA certificates.
  debug - Comma-separated list of "stdout", "stderr", "syslog", or debug log
  	  level.
  minimum_dh_prime_size - Minimum acceptable size for DH primes.  Default 1024.

This is planned to line up with Heimdal and the CITI implementation, so it's
very much subject to change.
