From 0ee8c263f615baa3b839eeb94236b3f54862233b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 19 Jul 2023 15:50:43 +1200
Subject: [PATCH] WHATSNEW: Add text on PKINIT Certificate Revocation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 WHATSNEW.txt | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7cdb9f32f08..e38eeccfa22 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -108,7 +108,24 @@ The use of well known cryptography libraries makes Samba easier for
 end-users to validate and deploy, and for distributors to ship.  This
 is the end of a very long journey for Samba.
 
+Revocation support in Heimdal KDC for PKINIT certificates
+---------------------------------------------------------
+
+Samba will now correctly honour the revocation of 'smart card'
+certificates used for PKINIT Kerberos authentication.
+
+This list is reloaded each time the file changes, so no further action
+other than replacing the file is required.  The additional krb5.conf
+option is:
+
+ [kdc]
+	pkinit_revoke = FILE:/path/to/crl.pem
 
+Information on the "Smart Card login" feature as a whole is at:
+ https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
+
+
+================
 REMOVED FEATURES
 ================
 
-- 
2.11.4.GIT