Comment 5 for bug 1919563

So, if I didn't get it wrong, if we'd just use /etc/ssl/certs/ca-certificates.crt as the SSSD pam certificate in such case would work?

I mean having this in /etc/sssd/sssd.conf

[pam]
pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt

And then what was into /etc/sssd/pki/sssd_auth_ca_db.pem to be added to .crt's under /usr/local/share/ca-certificates/sssd_auth_ca_db/ and eventually calling update-ca-certificates maybe?

We could even do the other way around probably, by adding an hook to /etc/ca-certificates/update.d/ so that we ensure that /etc/ssl/certs/ca-certificates.crt is always in sync with the system ring?

As Robie said, we could revert this change but this would not be ideal for various reasons IMHO:
 1. As you said this is going to be used more and more, and so we'll have to end up to keep supporting
    a growing number of systems with an outdated method that is going to be dropped in future
    (i.e. better to do it now that its usage is limited than having to do it in future when the audience
     is bigger)
 2. We would like to have a single documented method to have smartcard auth in ubuntu using SSSD that can
    be validated from 20.04 onward and that keep working in future LTSs (and for sure next LTS will have to drop
    NSS anyways, so it's just about delaying a problem making it bigger).