diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index c6eedb0..ba32509 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1650,6 +1650,7 @@ Note: using Easy-RSA configuration from: $vars"
 	set_var EASYRSA_DIGEST		sha256
 	set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
 	set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
+	set_var EASYRSA_KDC_REALM	"CHANGEME.EXAMPLE.COM"
 
 	# Same as above for the x509-types extensions dir
 	if [ -d "$EASYRSA_PKI/x509-types" ]; then
diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example
index 4c77171..c324897 100644
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@@ -190,6 +190,9 @@ fi
 #
 #set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"
 
+# If you want to generate KDC certificates, you need to set the realm here.
+#set_var EASYRSA_KDC_REALM      "CHANGEME.EXAMPLE.COM"
+
 # OpenSSL config file:
 # If you need to use a specific openssl config file, you can reference it here.
 # Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
diff --git a/easyrsa3/x509-types/kdc b/easyrsa3/x509-types/kdc
new file mode 100644
index 0000000..702ec0a
--- /dev/null
+++ b/easyrsa3/x509-types/kdc
@@ -0,0 +1,21 @@
+# X509 extensions for a KDC server certificate
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+issuerAltName = issuer:copy
+subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
+principal_name = EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0,INTEGER:1
+name_string = EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}