1.5 Prerequisites/Preconditions
PKCA assumes the following, in addition to any assumptions specified in [MS-KILE]:
The key distribution center (KDC) has an X.509 public key certificate [X509], issued by a certificate authority (CA) and trusted by the clients in the Kerberos realm. For ECC support, the KDC has an ECC public key certificate issued by a CA and trusted by clients in the Kerberos realm. The issuing of these [X509] certificates is not addressed in this protocol specification.
A cryptographic-strength random-number generator is available for generating keys and other cryptographically sensitive information.<1>
Each user has an [X509] certificate suitable for use with PKINIT. Details about such a certificate are specified in [RFC4556] Appendix C.
Details about general Kerberos assumptions are specified in [RFC4120] section 1.6.