diff --git a/kdc/config.c b/kdc/config.c
index 4f9623feb..4c3b2e3a7 100644
--- a/kdc/config.c
+++ b/kdc/config.c
@@ -502,7 +502,7 @@ configure(krb5_context context, int argc, char **argv)
 				     NULL);
     if (config->enable_pkinit) {
 	const char *user_id, *anchors;
-	char **chain;
+	char **chain, **revoke;
 
 	user_id = krb5_config_get_string(context, NULL,
 					 "kdc",
@@ -523,7 +523,12 @@ configure(krb5_context context, int argc, char **argv)
 					"pki-chain",
 					NULL);
 
-	_kdc_pk_initialize(context, config, user_id, anchors, chain);
+	revoke = krb5_config_get_strings(context, NULL,
+					"kdc",
+					"pki-revoke",
+					NULL);
+
+	_kdc_pk_initialize(context, config, user_id, anchors, chain, revoke);
 
 	krb5_config_free_strings(chain);
 
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index e4b5152df..b52041941 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -52,6 +52,7 @@ struct krb5_pk_identity {
     hx509_certs certs;
     hx509_certs anchors;
     hx509_certs certpool;
+    hx509_revoke_ctx revoke;
 };
 
 enum pkinit_type {
@@ -1238,7 +1239,8 @@ _kdc_pk_initialize(krb5_context context,
 		   krb5_kdc_configuration *config,
 		   const char *user_id,
 		   const char *anchors,
-		   char **pool)
+		   char **pool,
+		   char **revoke)
 {
     const char *file; 
     krb5_error_code ret;
@@ -1256,14 +1258,15 @@ _kdc_pk_initialize(krb5_context context,
     principal_mappings.len = 0;
     principal_mappings.val = NULL;
 
-    ret = _krb5_pk_load_openssl_id(context,
-				   &kdc_identity,
-				   user_id,
-				   anchors,
-				   pool,
-				   NULL,
-				   NULL,
-				   NULL);
+    ret = _krb5_pk_load_id(context,
+			   &kdc_identity,
+			   user_id,
+			   anchors,
+			   pool,
+			   revoke,
+			   NULL,
+			   NULL,
+			   NULL);
     if (ret) {
 	krb5_warn(context, ret, "PKINIT: failed to load");
 	config->enable_pkinit = 0;
diff --git a/kuser/kinit.c b/kuser/kinit.c
index 41946e0fa..fb600899e 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -71,6 +71,7 @@ int fcache_version;
 char *pk_user_id	= NULL;
 char *pk_x509_anchors	= NULL;
 char **pk_x509_pool	= NULL;
+char **pk_x509_revoke	= NULL;
 
 
 static char *krb4_cc_name;
@@ -466,6 +467,7 @@ get_new_tickets(krb5_context context,
 						 pk_user_id,
 						 pk_x509_anchors,
 						 pk_x509_pool,
+						 pk_x509_revoke,
 						 0,
 						 NULL,
 						 NULL,
@@ -808,6 +810,12 @@ main (int argc, char **argv)
 					   "pkinit-pool", 
 					   NULL);
 
+    pk_x509_revoke = krb5_config_get_strings(context, NULL,
+					     "appdefaults", 
+					     "pkinit-revoke", 
+					     NULL);
+
+
     if (pk_x509_anchors == NULL)
 	krb5_appdefault_string(context, "kinit",
 			       krb5_principal_get_realm(context, principal),