Comment 32 for bug 1647285

Also adding SSSD here, would be easy enough to make its default PAM CA ring to point to /etc/ssl/certs/ca-certificates.crt by default (and change-able in settings) but not sure if we want to go this route as it may make SSSD documentation confusing (as it everywhere mentions /etc/sssd/pki/sssd_auth_ca_db.pem or /etc/sssd/pki/sssd_auth_ca_db.pem).

Maybe a nice way would be to provide a default sssd.conf file that explicitly set that instead of hard-coding it, so we won't break current installations.