In appdefaults:
  allow_pkinit	   - Enable or disable the module.  Default is "yes".
  allow_pkinit_server - Enable or disable the module for KDCs.  Default is
			to take the value of the "allow_pkinit" option.
			Overrides "allow_pkinit".
  allow_pkinit_client - Enable or disable the module for clients.  Default is
			to take the value of the "allow_pkinit" option.
			Overrides "allow_pkinit".
  trusted_guid     - GUID extension value which the client will trust if the
		     KDC's cert has no subjectAltName value which can be used.
		     No default.
  pkinit_signed_data_version - The version number which should be used when
  			       creating SignedData items to send to a KDC as
			       part of an RFC4556-style request.  Some server
			       implementations will only accept version 1 (MIT
			       Kerberos 1.6.3's default plugin), some will only
			       accept version 3 (Windows Server 2008).  Default
			       is 3.  Requests which follow the draft version of
			       the specification always use version 1.
  pkinit_kdc_signed_data_version - The version number which should be used when
				   creating SignedData items to send to a
				   client.  Some client implementations will
				   only accept version 1 (MIT Kerberos 1.6.3's
				   default plugin).  Default is to use the
				   version that the client used in its request.
  pkinit_kdc_hostname - In combination with "pkinit_eku_checking", a DNS SAN
			which would be acceptable for a KDC.  No default.
  pkinit_eku_checking - In combination with "pkinit_kdc_hostname", an EKU value
			which would be acceptable for a KDC.  Recognized values
			include "kpKDC", "kpServerAuth", and "none".  Default
			is "kpServerAuth".
  pkinit_cert_match   - Alternate combinations of client certificate
			characteristics which would cause it to be deemed
			sufficient for use.  Rules are specified as combinations
			of fields and specifications in the form
			  [&&]<FIELD1>spec1[,<FIELD2>spec2[,...]] [...]
			  <FIELD1>spec1[,<FIELD2>spec2[,...]] [...]
			  [||]<FIELD1>spec1[,<FIELD2>spec2[,...]] [...]
			Recognized fields and the types of specifications to be
			used include
			  <SUBJECT>	Regular expression.
			  <ISSUER>	Regular expression.
			  <SAN>		Regular expression.
			  <EMAIL>	Regular expression.
			  <COMPONENTS>	Number.
			  <EKU>		List of zero or more values, possibly
					including "pkinit" (for clients),
					"pkinitKDC" (for KDCs), "msScLogin",
					"clientAuth", "serverAuth", and
					"emailProtection".
			  <KU>		List of zero or more values, possibly
					including "digitalSignature" and
					"keyEncipherment".
			There is no default.
			Regular expressions can reference parts of the
			principal name being sought by including these special
			sequences:
			  %0 (The realm.)
			  %1 (The first component, if defined.)
			  ..
			  %9 (The ninth component, if defined.)
			  %% (The literal value "%".)
  ocsp_checking    - Enable or disable OCSP checking.  Default is "yes" for
		     KDCs, "no" for clients.  Also recognized by the name
		     "pkinit_require_ocsp_checking".
  is_hw		   - Assume that a PKINIT client also satisfies requires_hwauth
		     requirements.  Default is "no".
  try_dh	   - Enable DH instead of enckey-based kinit.  Default is "yes".
  minimum_dh_prime_size - Minimum acceptable size for DH primes.  Default 1024.
  			  Also recognized by the name "pkinit_dh_min_bits".
  preferred_group  - Preferred Oakley group when using DH.  The default
		     moduli included with Heimdal correspond to 14.  Default
		     is "2".  Valid values include 1, 2, 5, 14, 15, 16.
  mappings_file    - Name of a principal-name-to-subject-DN mapping file.  No
		     default setting.
  trust_pkinit_san - Whether or not to trust PKINIT-style subjectAltName values
		     in certificates.  Default is "yes".
  trust_upn_san    - Whether or not to trust userPrincipalName subjectAltName
		     values in certificates.  Default is "yes".
  trust_matching_rules - Whether or not the KDC will use matching rules
			 specified using "pkinit_cert_match" to check if a
			 certificate corresponds to a particular client.  If
			 this setting is enabled, each rule should always
			 include a <COMPONENTS> clause and a regex which
			 incorporates the realm and every component of a
			 client's principal name so that false positives can be
			 avoided.  Default is "no".
  client_database  - Location of the certificate/key/token database used by the
		     client.  Default is set at compile-time.
  client_certificate - Location of the certificate used by the client.  No
 		       default.
  client_private_key - Location of the private key used by the client.  No
  		       default.
  client_certificate_pool - Location of the directory which holds intermediate
			    certificates for use by the client.  No default.
  client_ca_certificate - Location of the client's CA's certificate.  No
 			  default.
  client_ca_certificate_pool - Location of the directory which holds
			       certificates of CAs which are trusted by the
			       client.  No default.
  server_database  - Location of the certificate/key/token database used by the
		     KDC.  Default is set at compile-time.
  server_certificate - Location of the certificate used by the KDC.  No
 		       default.
  server_private_key - Location of the private key used by the KDC.  No
 		       default.
  server_certificate_pool - Location of the directory which holds intermediate
			    certificates for use by the KDC.  No default.
  server_ca_certificate - Location of the KDC's CA's certificate.  No default.
  server_ca_certificate_pool - Location of the directory which holds
			       certificates of CAs which are trusted by the
			       KDC.  No default.
  server_pin_file - Location of a file which contains a PIN which might be
		    needed to log into the server database.  Default is
		    "pin.txt" in the default server database directory.
  debug_level	   - Logging level.  Default is "0".
  debug_syslog	   - Whether or not to send debug messages to syslog.  Default
		     is "yes".
  debug_stdout	  - Whether or not to send debug messages to stdout if stdout
  		     is a terminal device.  Default is "no".
  debug_stderr	   - Whether or not to send debug messages to stderr if stderr
  		     is a terminal device.  Default is "no".
  trusted_servers  - DNS names which, if found in a KDC's certificate, will
		     make it acceptable as an alternate to having a matching
		     principal name or GUID.

[appdefaults]
 allow_pkinit = no
 pkinit = {
   BOSTON.REDHAT.COM = {
     trusted_guid = 9a:37:dd:c9:ad:15:34:4e:9d:36:b4:9f:fd:91:b8:74
   }
 }

At the command line (for example, kinit -X):
  certificate_file - Location of the certificate file.
  private_key_file - Location of the private key file.
  certificate_pool - Location of the directory which holds intermediate
		     certificates.
  ca_certificate_file - Location of the CA's certificate.
  ca_certificate_pool - Location of the directory which holds CA certificates.
  debug - Comma-separated list of "stdout", "stderr", "syslog", or debug log
  	  level.
  minimum_dh_prime_size - Minimum acceptable size for DH primes.  Default 1024.

This is planned to line up with Heimdal and the CITI implementation, so it's
very much subject to change.
