Experimental features:
1. If you want trustedCertifiers to be sent by the client, then set 
X509_CA_BUNDLE to a ca-bundle file.
2. If you want to make our KDC act like a draft9 KDC, then modify pkinit_src.c 
file. there is an "#if 0" for "supported_server_pa_types". if you change "if 0"
to "if 1", then the kdc will become draft9-only KDC.
3. If you like more debugging output, add "-DDEBUG" to CFLAGS and recompile 
the code. 
4. If you are debugging ASN1 encoding, add "-DDEBUG_ASN1" to CFLAGS and 
recompile the code. After running, you'll get DER encoded structures stored 
in /tmp. For example, /tmp/client_as_req will contains DER encoding of the 
pkinit part of the AS-REQ.
5. Prior to having config options that manage EKU/SAN/CRL checking, you can
modify pkinit_lib.c in function pkinit_lib_init(), set 
    plgctx->require_eku = 1 -- will require presence of EKU in certs
    plgctx->require_san = 1 -- will require presence of SAN in KDC's cert
    plgctx->require_crl_checking = 1 -- will require presence of CRLs to 
	verify every certificate