Simple DOD CAC PIV enablement for IdM

There is various documentation and steps in the Red Hat Identity Guide and other places on setting up PIV auth but little that has a step-wise approach to using DOD CAC pre-existing and IdM (FreeIPA).

(1) Associate certs from CAC with IdM user - DONE
(2) Update authconfig and sssd.conf on client - DONE
(3) Inserting CAC and entering PIN - FAILS
(4) Using certutil from cmdline with PIN - WORKS

There is mention in various places about adding the root CA (DOD CA-44 in this case) on the clients, but little about if it's required and a simple clear 1-2-3 approach to CAC + IdM for NAPS customers.

Would be really nice to have this or a reply, customer ticket open already.

Thanks much!