MIT Kerberos expects, at minimum, to be configured with the location of the
trusted root certificates and the user's identity.  These options, passed
through the "preauth_options" option, include:
  X509_anchors (for example "FILE:/etc/pki/tls/cert.pem")
  X509_user_identity (for example "PKCS11:/usr/$LIB/libcoolkeypk11.so")
Their corresponding names in the [libdefaults] section of krb5.conf are:
  pkinit_anchors
  pkinit_identities