Title: #570: p11_child: add OpenSSL support
About /etc/sssd/pki, I'm sorry, I didn't understood you correctly in the first
place. You suggested to use a directory based CA store (e.g. TLS_CACERTDIR of OpenLDAP)
instead of a file based one (e.g. TLS_CACERT of OpenLDAP). If prefer the file bases one
because of do not have run some rehash command to create the needed link in the directory
store and you can easy link it to other files based stores like e.g. the IPA one.
Nevertheless we can you /etc/sssd/pki to that the file name will be
/etc/sssd/pki/sssd_auth_ca_db.pem. The upcoming file with the CRL will then be
/etc/sssd/pki/sssd_auth_crl.pem. And if there is really a need for a directory store we
can add e.g. /etc/sssd/pki/ca_certs/.
Do you agree?
See the full comment at https://github.com/SSSD/sssd/pull/570#issuecomment-393114540