I'm trying to get smartcard auth working with sssd on RHEL 7.4. We currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify this by using sssd instead. Unfortunately I cant get it to work, sssd does not seem to detect my smartcard certificate. 

Running p11_child I get the following:

$ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/pki/nssdb --pin
(Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320]]]] [main] (0x0400): p11_child started.
(Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320]]]] [main] (0x2000): Running in [pre-auth] mode.
(Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320]]]] [main] (0x2000): Running with real IDs [0][0].
(Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Default Module List:
(Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [(null)].
(Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [p11-kit-trust].
(Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
(Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [OpenSC PKCS #11 Module].
(Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
(Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Dead Module List:
(Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): DB Module List:
(Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [NSS Internal Module].
(Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [(null)].
(Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [Policy File].
(Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [(null)].
(Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services                   Mozilla Foundation              ] Manufacturer [Mozilla Foundation              ] flags [1].
(Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services                             Mozilla Foundation              ] Manufacturer [Mozilla Foundation              ] flags [1].
(Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [/usr/share/pki/ca-trust-source                                  PKCS#11 Kit                      ] Manufacturer [PKCS#11 Kit                      ] flags [1].
(Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [/etc/pki/ca-trust/source                                        PKCS#11 Kit                      ] Manufacturer [PKCS#11 Kit                      ] flags [1].
(Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [Alcor Micro AU9540 00 00                                        Generic                         ] Manufacturer [Generic                         ] flags [7].
(Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so].
(Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Token is NOT friendly.
(Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Trying to switch to friendly to read certificate.
(Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Login required.
(Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320]]]] [do_work] (0x0020): Login required but no pin available, continue.
(Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): found cert[identification (Instant EID IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
(Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Filtered certificates:
(Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): found cert[identification (Instant EID IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
(Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320]]]] [do_work] (0x0040): Certificate [identification (Instant EID IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid [-8062], skipping.
(Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): No certificate found.


What does the error code '-8062' mean?

Regards,
Adam