I'm using the stock pam_pkcs11 configuration on Fedora 21. It seems to want to use a legacy nssdb in /etc/pam_pkcs11/nssdb so I created one there with 'certutil -N' (no password). Now I can run 'pkcs11_inspect debug' and I get the following: DEBUG:cert_vfy.c:34: Verifying Cert: Red Key (User PIN):Intel Remote Access Linux for dwoodhou-linux (E=david.woodhouse,CN="Woodhouse, David",OU=Workers,DC=ger,DC=corp,DC=intel,DC=com) DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's Certificate issuer is not recognized. ERROR:pkcs11_inspect.c:140: verify_certificate() failed: This is wrong. That certificate most certainly *does* verify, using the CAs installed in /etc/pki/ca-trust/source/anchors So let's try adding p11-kit-trust.so explicitly to the nssdb (although it's already symlinked from libnssckbi.so on Fedora so it ought to be there anyway). # modutil -dbdir `pwd` -add p11-kit-trust -libfile /usr/lib64/p11-kit-trust.so # pkcs11_inspect debug DEBUG:cert_vfy.c:34: Verifying Cert: Red Key (User PIN):Intel Remote Access Linux for dwoodhou-linux (E=david.woodhouse,CN="Woodhouse, David",OU=Workers,DC=ger,DC=corp,DC=intel,DC=com) DEBUG:pkcs11_inspect.c:144: Inspecting certificate #1 Printing data for mapper cn: Woodhouse, David Yay, that looks happier. But why wasn't it working automatically?
Mostly obsoleted by bug 1173548 except perhaps for the trust issues... but maybe it makes sense that we don't automatically trust *all* CAs for approving users to log in, and we want to add the approved CAs manually to our own private database in /etc/pam_pkcs11/nssdb.