Adding a Root+Intermediate CA certs for the apache frontend as outlined in the
"Linux Domain, Identity, Authentication, and Policy Guide, Sections 26.3 and
26.6.

# kinit admin
# ipa-cacert-manage -n Apache1_Cert -t C,, install
/etc/certs/current/Apache_Cert_CA.cer
# ipa-cacert-manage -n Apache2_Cert -t C,, install
/etc/certs/current/Apache_Cert_Trust_CA.cer
# ipa-certupdate
# cat /etc/certs/current/Apache_Cert_CA.cer
/etc/certs/current/Apache_Cert_Trust_CA.cer /etc/certs/current/cacert.crt >
/etc/certs/current/cert_chain.pem
# ipa-server-certinstall --http /etc/certs/current/server.key
/etc/certs/current/cert_chain.pem

At this point, the NSSNickname in /etc/httpd/conf.d/nss.conf was set to:
'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US'

Please note the single quotes above.


I ran the following commands to set the server up for SmartCard auth and import
the CAs:

# kinit admin
# ipa-advise config-server-for-smart-card-auth >
/root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh
# chmod 755 /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh
# /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh
/root/IPA_Stuff/SmartCard_CA/Root_CA_3.cer \
  /root/IPA_Stuff/SmartCard_CA/Ent_Trust_CA.cer
/root/IPA_Stuff/SmartCard_CA/example.cer

This resulted in the following error:

certutil: could not find certificate named
"'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US'":
SEC_ERROR_BAD_DATABASE: security library: bad database.
Can not set trust flags on HTTP certificate

Upon further investigation, I found the certificate name wrapped in single
quotes in the nss.conf file, removed the single quotes and re-ran the
server_smart_card_script.sh.  This time it completed successfully without
issues, and SmartCard authentication was verified to work correctly.