diff --git a/kdc/kdc-tester.c b/kdc/kdc-tester.c
index ceaf82848..1ca85714b 100644
--- a/kdc/kdc-tester.c
+++ b/kdc/kdc-tester.c
@@ -141,7 +141,8 @@ get_fast_armor_ccache(const char *fast_armor_princ, const char *keytab,
 static void
 eval_kinit(heim_dict_t o)
 {
-    heim_string_t user, password, keytab, fast_armor_princ;
+    heim_string_t user, password, keytab, fast_armor_princ, pk_user_id;
+    krb5_get_init_creds_opt *opt;
     krb5_init_creds_context ctx;
     krb5_principal client;
     krb5_keytab kt = NULL;
@@ -157,14 +158,30 @@ eval_kinit(heim_dict_t o)
 
     password = heim_dict_get_value(o, HSTR("password"));
     keytab = heim_dict_get_value(o, HSTR("keytab"));
-    if (password == NULL && keytab == NULL)
-	krb5_errx(kdc_context, 1, "no password nor keytab");
+    pk_user_id = heim_dict_get_value(o, HSTR("pkinit-user-cert-id"));
+    if (password == NULL && keytab == NULL && pk_user_id == NULL)
+	krb5_errx(kdc_context, 1, "password, keytab, nor PKINIT user cert ID");
 
     ret = krb5_parse_name(kdc_context, heim_string_get_utf8(user), &client);
     if (ret)
 	krb5_err(kdc_context, 1, ret, "krb5_unparse_name");
 
-    ret = krb5_init_creds_init(kdc_context, client, NULL, NULL, 0, NULL, &ctx);
+    /* PKINIT parts */
+    ret = krb5_get_init_creds_opt_alloc (kdc_context, &opt);
+    if (ret)
+	krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_alloc");
+
+    if (pk_user_id) {
+	ret = krb5_get_init_creds_opt_set_pkinit(kdc_context, opt,
+						 client,
+						 heim_string_get_utf8(pk_user_id),
+						 NULL, NULL, NULL, 0,
+						 NULL, NULL, NULL);
+	if (ret)
+	    krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
+    }
+
+    ret = krb5_init_creds_init(kdc_context, client, NULL, NULL, 0, opt, &ctx);
     if (ret)
 	krb5_err(kdc_context, 1, ret, "krb5_init_creds_init");
 
diff --git a/tests/kdc/Makefile.am b/tests/kdc/Makefile.am
index f39590a63..1ab97c960 100644
--- a/tests/kdc/Makefile.am
+++ b/tests/kdc/Makefile.am
@@ -1,6 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 
 noinst_DATA = \
+	kdc-tester4.json \
 	krb5.conf \
 	krb5-canon.conf \
 	krb5-canon2.conf \
@@ -45,6 +46,7 @@ endif
 
 do_subst = sed $(do_dlopen) \
 	-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
+	-e 's,[@]top_srcdir[@],$(top_srcdir),g' \
 	-e 's,[@]srcdir[@],$(srcdir),g' \
 	-e 's,[@]port[@],$(port),g' \
 	-e 's,[@]admport[@],$(admport),g' \
@@ -95,7 +97,7 @@ check-kdc-weak: check-kdc-weak.in Makefile
 	chmod +x check-kdc-weak.tmp
 	mv check-kdc-weak.tmp check-kdc-weak
 
-check-tester: check-tester.in Makefile
+check-tester: check-tester.in kdc-tester4.json Makefile
 	$(do_subst) < $(srcdir)/check-tester.in > check-tester.tmp
 	chmod +x check-tester.tmp
 	mv check-tester.tmp check-tester
@@ -140,6 +142,10 @@ check-kpasswdd: check-kpasswdd.in Makefile
 	chmod +x check-kpasswdd.tmp
 	mv check-kpasswdd.tmp check-kpasswdd
 
+kdc-tester4.json: kdc-tester4.json.in Makefile
+	$(do_subst) < $(srcdir)/kdc-tester4.json.in > kdc-tester4.json.tmp
+	mv kdc-tester4.json.tmp kdc-tester4.json
+
 krb5.conf: krb5.conf.in Makefile
 	$(do_subst) \
 	   -e 's,[@]WEAK[@],false,g' \
@@ -203,6 +209,7 @@ CLEANFILES= \
 	iprop.keytab \
 	digest-reply \
 	foopassword \
+	kdc-tester4.json \
 	krb5.conf \
 	krb5-canon.conf \
 	krb5-canon2.conf \
@@ -261,6 +268,7 @@ EXTRA_DIST = \
 	iprop-acl \
 	kdc-tester1.json \
 	kdc-tester2.json \
+	kdc-tester4.json.in \
 	krb5-pkinit.conf.in \
 	krb5.conf.in \
 	krb5-canon.conf.in \
diff --git a/tests/kdc/check-tester.in b/tests/kdc/check-tester.in
index 16edf8fa9..cb4baf786 100644
--- a/tests/kdc/check-tester.in
+++ b/tests/kdc/check-tester.in
@@ -50,11 +50,30 @@ R=TEST.H5L.SE
 
 keytabfile=${objdir}/server.keytab
 keytab="FILE:${keytabfile}"
+keyfile="${hx509_data}/key.der"
+keyfile2="${hx509_data}/key2.der"
 
 kadmin="${kadmin} -l -r $R"
 
 server=host/datan.test.h5l.se
 
+rsa=yes
+pkinit=no
+if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
+    rsa=no
+fi
+if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
+    rsa=no
+fi
+
+if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
+    pkinit=yes
+fi
+
+# If we doesn't support pkinit and have RSA, give up
+if test "$rsa" != yes ; then
+    pkinit=no
+fi
 
 rm -f ${keytabfile}
 rm -f current-db*
@@ -84,5 +103,45 @@ ${kdc_tester} ${srcdir}/kdc-tester2.json || exit 1
 echo "fast + keytab"
 ${kdc_tester} ${srcdir}/kdc-tester3.json || exit 1
 
+if test "$pkinit" = yes ; then
+    KRB5_CONFIG="${1-${objdir}/krb5-pkinit.conf}"
+    export KRB5_CONFIG
+    echo "Setting up certificates"
+    ${hxtool} request-create \
+	     --subject="CN=kdc,DC=test,DC=h5l,DC=se" \
+	     --key=FILE:${keyfile2} \
+	     req-kdc.der || exit 1
+    ${hxtool} request-create \
+	     --subject="CN=foo,DC=test,DC=h5l,DC=se" \
+	     --key=FILE:${keyfile2} \
+	     req-pkinit.der || exit 1
+
+    echo "issue self-signed ca cert"
+    ${hxtool} issue-certificate \
+	      --self-signed \
+	      --issue-ca \
+	      --ca-private-key=FILE:${keyfile} \
+	      --subject="CN=CA,DC=test,DC=h5l,DC=se" \
+	      --certificate="FILE:ca.crt" || exit 1
+
+    echo "issue kdc certificate"
+    ${hxtool} issue-certificate \
+	      --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+	      --type="pkinit-kdc" \
+	      --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
+	      --req="PKCS10:req-kdc.der" \
+	      --certificate="FILE:kdc.crt" || exit 1
+
+    echo "issue user certificate (pkinit san)"
+    ${hxtool} issue-certificate \
+	      --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+	      --type="pkinit-client" \
+	      --pk-init-principal="foo@TEST.H5L.SE" \
+	      --req="PKCS10:req-pkinit.der" \
+	      --certificate="FILE:pkinit.crt" || exit 1
+
+    echo "pkinit"
+    ${kdc_tester} ${srcdir}/kdc-tester4.json || exit 1
+fi
 
 exit $ec