I've written up this patch to enable the Puppet CA to deal with Kerberos-PKINIT-enabled certificate requests and allow the clients to request those extensions.
Since the whole PKINIT certificate extension thing is IMO highly inaccessible to people with non-ASN.1-capable brains (i.e. everyone) I think it would be a killer feature for Puppet to support this with just a few command line options out of the box.
Those certificates can be used on the client to obtain Kerberos tickets using just the certificate and private key and no password or keytab:
This can easily be made into a cron job so the machine always has a TGT floating around for accessing kerberised services!
I am also using this in an environment where I run Kerberos-enabled services and want to allow them to auto-enroll with the KDC and create their principals and keytabs. Using PKINIT with the Puppet machine certificates and making the machine principal a very limited Kerberos administrator for it's own principal namespace (*/$fqdn@$realm) allows for this very elegantly, securely and without any additional password storage and passing.
With the KDC extension it is also possible to run a PKINIT-enabled KDC with just the Puppet client certificate and key. Instructions on how to do so can be found here:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html. A puppet
module that does so fully automatically is available here:
(This doubled acceptance procedure is intentional and IMO a nice opportunity for the admin to realise what he's doing.)
I've developed this with Puppet 3.7.2 on Debian jessie and adjusted slightly for current master HEAD.