Comment 16 for bug 1919563

So, I've done some work on SSSD upstream to make this to happen: https://github.com/SSSD/sssd/pull/5558

With that we'll just be able to set on upgraders the option `certification_verification = partial_chain`, and this will just make the SSSD's PEM ring to work as the NSS db used to work: and so verify a certificate if its only its issuer is in the SSSD's CA certificates DB.

This comes with unit tests covering the case with generated certificates, not sure if I can personally test this with real hardware (for SRU purposes) though... We may still need to simulate it.

At the end, it's just as doing:
  openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_CA_issued_cert.pem

Karl, will this be enough for you?