URL: https://github.com/SSSD/sssd/pull/570 Title: #570: p11_child: add OpenSSL support

sumit-bose commented: """ Hi @jhrozek, thank you for the review.

I added 'certmap: allow missing empty EKU in OpenSSL version' to fix the missing EKU issues. The patch also contains a new test certificate without EKU to make sure libcertmap can handle missing EKUs.

I added default values and man page updates for the CA DB options. I choose /etc/sssd/sssd_auth_ca_db.pem as the default for the OpenSSL build. I'd prefer not to use system-wide CA bundles like e.g /etc/pki/tls/certs/ca-bundle.crt because if the certificate is mapped to the user not with the full certificate but only based on parts of the certificate content validating the certificate with CA certificates trusted for authentication becomes important.

For the IPA case we can discuss with IPA developers if the ipa-advice helper script for Smartcard authentication can create this file as a link to /var/lib/ipa-client/pki/ca-bundle.pem. """

See the full comment at https://github.com/SSSD/sssd/pull/570#issuecomment-392500377