RHEL-8 smart card and SSSD p11_child do_verification error "unable to get local issuer certificate"

Solution Verified - Updated -

Issue

Smart card authentication appears to not work, fails.
Troubleshooting reveals a SSSD error from p11_child do_verification, like for example:

(2021-04-12 13:10:00:317891): [p11_child[31232]] [do_verification] (0x0040): X509_verify_cert failed [0].
(2021-04-12 13:10:00:317895): [p11_child[31232]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate].

Environment

RHEL-8 with SSSD, OpenSC and smartcard, with or without IPA.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In