KX.509, from the University of Michigan, is a Kerberized client-side program that acquires an X.509 certificate using existing Kerberos tickets. The certificate and private key generated by KX.509 are normally stored in the same cache alongside the Kerberos credentials. This enables systems that already have a mechanism for removing unused Kerberos credentials to also automatically remove the X.509 credentials.