diff --git a/lib/asn1/Makefile.am b/lib/asn1/Makefile.am
index a3ba591e0..dbdd64c09 100644
--- a/lib/asn1/Makefile.am
+++ b/lib/asn1/Makefile.am
@@ -283,6 +283,7 @@ gen_files_pkinit =					\
 	asn1_DHNonce.x					\
 	asn1_TrustedCA.x				\
 	asn1_ExternalPrincipalIdentifier.x		\
+	asn1_ExternalPrincipalIdentifiers.x		\
 	asn1_PA_PK_AS_REQ.x				\
 	asn1_PKAuthenticator.x				\
 	asn1_AuthPack.x					\
diff --git a/lib/asn1/pkinit.asn1 b/lib/asn1/pkinit.asn1
index 52fe6a00b..56d661167 100644
--- a/lib/asn1/pkinit.asn1
+++ b/lib/asn1/pkinit.asn1
@@ -50,10 +50,11 @@ ExternalPrincipalIdentifier ::= SEQUENCE {
 	...
 }
 
+ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
+
 PA-PK-AS-REQ ::= SEQUENCE {
         signedAuthPack          [0] IMPLICIT OCTET STRING,
-        trustedCertifiers       [1] SEQUENCE OF 
-			ExternalPrincipalIdentifier OPTIONAL,
+        trustedCertifiers       [1] ExternalPrincipalIdentifiers OPTIONAL,
 	kdcPkId                 [2] IMPLICIT OCTET STRING OPTIONAL,
 	...
 }
@@ -74,8 +75,8 @@ AuthPack ::= SEQUENCE {
 	...
 }
 
-TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF ExternalPrincipalIdentifier
-TD-INVALID-CERTIFICATES ::= SEQUENCE OF ExternalPrincipalIdentifier
+TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
+TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
 
 KRB5PrincipalName ::= SEQUENCE {
 	realm                   [0] Realm,