RHEL-8 smart card and SSSD p11_child do_verification and certmonger error "unable to get local issuer certificate"

Solution Verified - Updated -

Issue

Smart card authentication appears to not work, fails.
Troubleshooting reveals a SSSD error from p11_child do_verification, like for example:

(2021-04-12 13:10:00:317891): [p11_child[31232]] [do_verification] (0x0040): X509_verify_cert failed [0].
(2021-04-12 13:10:00:317895): [p11_child[31232]] [do_verification] (0x0040): X509_verify_cert failed [20][unable to get local issuer certificate].

Other example, using certmonger and SCEP:

getcert list -i SCEP_Request1
Number of certificates and requests being tracked: 6.
Request ID 'SCEP_Request1':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to https://ca.example.test/certsrv/mscep/mscep.dll: Peer certificate cannot be authenticated with given CA certificates.


and to reproduce the error when querying the SCEP CA certs:

/usr/libexec/certmonger/scep-submit -u https://ca.example.test/certsrv/mscep/mscep.dll/ -C
Error 60 connecting to https://ca.example.test/certsrv/mscep/mscep.dll/: Peer certificate cannot be authenticated with given CA certificates.

but works when passing the PKI trust chain of issuers:

/usr/libexec/certmonger/scep-submit -u https://ca.example.test/certsrv/mscep/mscep.dll/ -C -R /tmp/ca.issuer.1.pem 
-----BEGIN CERTIFICATE-----
MIIIJ...

Environment

RHEL-8 with SSSD, OpenSC and smartcard, with or without IPA.
RHEL-8 for any application using SSL or TLS server certificates, example with certmonger and SCEP

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content