Thanks Valters for your verification! It's always better when someone that didn't commit the fix can help with it. I've also done further verification to ensure that the migration happens as expected, so my sssd.conf was: [sssd] enable_files_domain = True services = pam certificate_verification = no_ocsp [certmap/implicit_files/marco] matchrule = .*TRVMRC[A-Z0-9]+/6090010669298009\.YOrY0zOk5CdMby2Z2O/HnVRA8Ao.* [pam] pam_cert_auth = True pam_verbosity = 10 debug_level = 10 #pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt # pam_cert_db_path = /etc/pki/nssdb pam_cert_db_path = /etc/pki/nssdb2 ca_db = /etc/pki/nssdb2 #ca_db = /etc/pki/nssdb With /etc/pki/nssdb2 configured so that it was able to read my reader and containing the relative CA certificate: $ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/pki/nssdb2 (Mon Mar 1 15:16:29:470908 2021) [[sssd[p11_child[70818]]]] [main] (0x0400): p11_child started. (Mon Mar 1 15:16:29:470980 2021) [[sssd[p11_child[70818]]]] [main] (0x2000): Running in [pre-auth] mode. (Mon Mar 1 15:16:29:470991 2021) [[sssd[p11_child[70818]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Mon Mar 1 15:16:29:470998 2021) [[sssd[p11_child[70818]]]] [main] (0x2000): Running with real IDs [0][0]. (Mon Mar 1 15:16:31:152580 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Default Module List: (Mon Mar 1 15:16:31:152668 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Mon Mar 1 15:16:31:152697 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): dll name: [(null)]. (Mon Mar 1 15:16:31:152706 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): common name: [PKCS#11 Kit modules proxy]. (Mon Mar 1 15:16:31:152715 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so]. (Mon Mar 1 15:16:31:152724 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Dead Module List: (Mon Mar 1 15:16:31:152732 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): DB Module List: (Mon Mar 1 15:16:31:152750 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): common name: [NSS Internal Module]. (Mon Mar 1 15:16:31:152759 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): dll name: [(null)]. (Mon Mar 1 15:16:31:152769 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true]. (Mon Mar 1 15:16:31:152818 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1] removable [false] token present [true]. (Mon Mar 1 15:16:31:153898 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Description [VMware Virtual USB CCID 00 00 VMware ] Manufacturer [VMware ] flags [7] removable [true] token present [true]. (Mon Mar 1 15:16:31:153949 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Found [MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][16] of module [2][/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so]. (Mon Mar 1 15:16:31:153976 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Token is NOT friendly. (Mon Mar 1 15:16:31:153995 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Trying to switch to friendly to read certificate. (Mon Mar 1 15:16:31:154029 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Login required. (Mon Mar 1 15:16:31:154041 2021) [[sssd[p11_child[70818]]]] [do_card] (0x0020): Login required but no PIN available, continue. (Mon Mar 1 15:16:31:170652 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): found cert[MARCO TREVISAN (PIN CNS0):CNS0][SN=TREVISAN,givenName=MARCO,CN="TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=",OU=REGIONE TOSCANA,O=Actalis S.p.A.,C=IT] (Mon Mar 1 15:16:31:170710 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Filtered certificates: (Mon Mar 1 15:16:31:170725 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): found cert[MARCO TREVISAN (PIN CNS0):CNS0][SN=TREVISAN,givenName=MARCO,CN="TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=",OU=REGIONE TOSCANA,O=Actalis S.p.A.,C=IT] (Mon Mar 1 15:16:31:170776 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): module uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1. (Mon Mar 1 15:16:31:170847 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): token uri: pkcs11:token=MARCO%20TREVISAN%20(PIN%20CNS0);manufacturer=IC:%20STMicroelectronics%3B%20mask:...;serial=6090010669298009;model=PKCS%2315%20emulated. (Mon Mar 1 15:16:31:287477 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so (null) MARCO TREVISAN (PIN CNS0) (null) (null). (Mon Mar 1 15:16:31:678018 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): Found certificate has key id [01]. (Mon Mar 1 15:16:31:684142 2021) [[sssd[p11_child[70818]]]] [do_card] (0x4000): uri: pkcs11:token=MARCO%20TREVISAN%20(PIN%20CNS0);manufacturer=IC:%20STMicroelectronics%3B%20mask:...;serial=6090010669298009;model=PKCS%2315%20emulated;library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1;object=CNS0;type=cert;slot-manufacturer=VMware;slot-description=VMware%20Virtual%20USB%20CCID%2000%2000;slot-id=16;id=%01. MARCO TREVISAN (PIN CNS0) /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so 01 CNS0 MIIFrDCCBJSgAwIBAgIDNDXMMA0GCSqGSIb3DQEBBQUAMHMx [...CERTIFICATE...] f2vVnVMaAJXrmJWvreJrFPb+bCuEDqaubg7kpr+21TbMLQDOusKm66LAhOV4cIrLf5zlCTk7aP3/GszTXcFQ== So dist-upgrading... Configurazione di sssd-common (2.2.3-3ubuntu0.4)... Installazione della nuova versione del file di configurazione /etc/apparmor.d/usr.sbin.sssd... Importing /etc/pki/nssdb2 CA certificates to /etc/sssd/pki/sssd_auth_ca_db.pem Found CA certificate Certificate WITH TRAILING spacesss Found CA certificate Certificate with lots o of spacesss and invalid value Certificate Certificate with lots o of spacesss and invalid value is not a trusted CA certificate, ignoring Found CA certificate Certificate with lots o of spacesss Found CA certificate Regione_Toscana_-_CA_Cittadini__Servizi_di_Certificazione_Actalis_S.p.A._IT Found CA certificate Regione_Siciliana_Certification_Authority_Cittadini_Virtuale__Servizi_di_certificazione_Actalis_S.p.A._IT [ ... more imported ... ] Disabling sssd.conf setting using invalid value: 'ca_db' Disabling sssd.conf setting using invalid value: 'pam_cert_db_path' Once installation was done, my sssd.conf file was: [sssd] enable_files_domain = True services = pam certificate_verification = no_ocsp [certmap/implicit_files/marco] matchrule = .*TRVMRC[A-Z0-9]+/6090010669298009\.YOrY0zOk5CdMby2Z2O/HnVRA8Ao.* [pam] pam_cert_auth = True pam_verbosity = 10 debug_level = 10 #pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt # pam_cert_db_path = /etc/pki/nssdb #pam_cert_db_path = /etc/pki/nssdb2 #ca_db = /etc/pki/nssdb2 #ca_db = /etc/pki/nssdb And launching the p11_child completes with: sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem (Mon Mar 1 15:19:57:675490 2021) [p11_child[71877]] [main] (0x0400): p11_child started. (Mon Mar 1 15:19:57:675598 2021) [p11_child[71877]] [main] (0x2000): Running in [pre-auth] mode. (Mon Mar 1 15:19:57:675610 2021) [p11_child[71877]] [main] (0x2000): Running with effective IDs: [0][0]. (Mon Mar 1 15:19:57:675630 2021) [p11_child[71877]] [main] (0x2000): Running with real IDs [0][0]. (Mon Mar 1 15:19:59:671859 2021) [p11_child[71877]] [do_card] (0x4000): Module List: (Mon Mar 1 15:19:59:671916 2021) [p11_child[71877]] [do_card] (0x4000): common name: [p11-kit-trust]. (Mon Mar 1 15:19:59:671930 2021) [p11_child[71877]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so]. (Mon Mar 1 15:19:59:671969 2021) [p11_child[71877]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Mon Mar 1 15:19:59:672005 2021) [p11_child[71877]] [do_card] (0x4000): common name: [opensc-pkcs11]. (Mon Mar 1 15:19:59:672018 2021) [p11_child[71877]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. (Mon Mar 1 15:19:59:675925 2021) [p11_child[71877]] [do_card] (0x4000): Description [VMware Virtual USB CCID 00 00 VMware ] Manufacturer [VMware ] flags [7] removable [true] token present [true]. (Mon Mar 1 15:19:59:679220 2021) [p11_child[71877]] [do_card] (0x4000): Found [MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][0] of module [1][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. (Mon Mar 1 15:19:59:679258 2021) [p11_child[71877]] [do_card] (0x4000): Login NOT required. (Mon Mar 1 15:19:59:679448 2021) [p11_child[71877]] [read_certs] (0x4000): found cert[CNS0][/C=IT/O=Actalis S.p.A./OU=REGIONE TOSCANA/CN=TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=/GN=MARCO/SN=TREVISAN] (Mon Mar 1 15:19:59:679733 2021) [p11_child[71877]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp02.actalis.it/VA/CNS_RTO]. (Mon Mar 1 15:19:59:813955 2021) [p11_child[71877]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Mon Mar 1 15:19:59:814198 2021) [p11_child[71877]] [do_ocsp] (0x4000): OCSP check was successful. (Mon Mar 1 15:19:59:814247 2021) [p11_child[71877]] [do_card] (0x4000): (null) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so (null) MARCO TREVISAN (PIN CNS0) (null) 01. (Mon Mar 1 15:19:59:814305 2021) [p11_child[71877]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.20;slot-description=VMware%20Virtual%20USB%20CCID%2000%2000;slot-manufacturer=VMware;slot-id=0;model=PKCS%2315%20emulated;manufacturer=IC%3A%20STMicroelectronics%3B%20mask%3A...;serial=6090010669298009;token=MARCO%20TREVISAN%20%28PIN%20CNS0%29%00%00%00%00%00%00%00;id=%01;object=CNS0;type=cert. (Mon Mar 1 15:19:59:814324 2021) [p11_child[71877]] [do_card] (0x4000): Found certificate has key id [01]. MARCO TREVISAN (PIN CNS0) /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so 01 CNS0 MIIFrDCCBJ [ ...CERTIFICATE... ] 66LAhOV4cIrLf5zlCTk7aP3/GszTXcFQ== So, all green!