So, I've done some work on SSSD upstream to make this to happen: https://github.com/SSSD/sssd/pull/5558
With that we'll just be able to set on upgraders the option `certification_verification = partial_chain`, and this will just make the SSSD's PEM ring to work as the NSS db used to work: and so verify a certificate if its only its issuer is in the SSSD's CA certificates DB. This comes with unit tests covering the case with generated certificates, not sure if I can personally test this with real hardware (for SRU purposes) though... We may still need to simulate it. At the end, it's just as doing: openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_CA_issued_cert.pem Karl, will this be enough for you? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919563 Title: updated sssd with smart cards now brick systems without full cert chain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
