It will involve a far more restrictive list of requirements to validate the KDC's certification, generally it needs a KDC certification with the EKU of “KDC Authentication” (see option b. above). which includes the “Server Authentication” EKU. It could be possibly issued by a general public CA or by a effectively configured internal CA (pr