diff --git a/kuser/kinit.c b/kuser/kinit.c
index 4208fa83e..6e11cf9ec 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -40,6 +40,7 @@
 struct krb5_dh_moduli;
 struct AlgorithmIdentifier;
 struct _krb5_krb_auth_data;
+struct hx509_certs_data;
 #include <krb5-private.h>
 
 #ifndef NO_NTLM
@@ -76,6 +77,7 @@ int fcache_version;
 char *password_file	= NULL;
 char *pk_user_id	= NULL;
 int pk_enterprise_flag = 0;
+struct hx509_certs_data *ent_user_id = NULL;
 char *pk_x509_anchors	= NULL;
 int pk_use_enckey	= 0;
 static int canonicalize_flag = 0;
@@ -467,7 +469,7 @@ get_new_tickets(krb5_context context,
 	krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
     if (pk_enterprise_flag && windows_flag)
 	krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
-    if (pk_user_id || anonymous_flag) {
+    if (pk_user_id || ent_user_id || anonymous_flag) {
 	ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
 						 principal,
 						 pk_user_id,
@@ -481,6 +483,8 @@ get_new_tickets(krb5_context context,
 						 passwd);
 	if (ret)
 	    krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
+	if (ent_user_id)
+	    ret = _krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
     }
 
     if (addrs_flag != -1)
@@ -796,10 +800,13 @@ main (int argc, char **argv)
 
     if (pk_enterprise_flag) {
 	ret = _krb5_pk_enterprise_cert(context, pk_user_id,
-				       argv[0], &principal);
+				       argv[0], &principal,
+				       &ent_user_id);
 	if (ret)
 	    krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
 
+	pk_user_id = NULL;
+
     } else if (anonymous_flag) {
 
 	ret = krb5_make_principal(context, &principal, argv[0],