Description of problem:
RHCS-10 pkispawn post use for caadmin and parameters pki_client_database_dir and pki_client_database_purge

RHCS-10.8 pkispawn CA with for example

pki_client_admin_cert_p12=/root/.dogtag/rhcs10-RSA-RootCA/ca_admin_cert.p12
pki_client_database_dir=/root/.dogtag/rhcs10-RSA-RootCA/certs_db
pki_client_database_password=SECret.123
pki_client_dir=/root/.dogtag/rhcs10-RSA-RootCA
pki_client_pkcs12_password=SECret.123

after the pkispawn, the CA admin client NSS directory is not fully usable because it is missing its trusted issuer for the CA admin user:

certutil -L -d ~/.dogtag/rhcs10-RSA-RootCA/certs_db/

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

PKI Bootstrap Administrator for RSA-RootCA u,u,u

the default value of pki_client_database_purge is "True", so why is there an existing pki_client_database_dir ( and with only the admin cert ) ?

if the pki_client_database_dir is meant to exist after pkispawn completes, it should have the issuer or full trusted chain.

other details:

man pki_default.cfg
...
CLIENT DIRECTORY PARAMETERS
pki_client_dir
This is the location where all client data used during the installation is stored. At the end of the invocation of pkispawn, the administrative user's certificate and keys are stored in a PKCS #12 file in this location.

Note: When using an HSM, it is currently recommended to NOT specify a value for pki_client_dir that is different from the default value.

pki_client_database_dir, pki_client_database_password
Location where an NSS token database is created in order to generate a key for the administrative user. Usually, the data in this location is removed at the end of the installation, as the keys and certificates are stored in a PKCS #12 file in pki_client_dir.

pki_client_database_purge
Set to True to remove pki_client_database_dir at the end of the installation. Defaults to True.

example on how to make the admin NSS db usable:

get the issuer
#
certutil -L -d /var/lib/pki/${pkiinstance}/conf/alias -n "CA Signing Cert - rhcs10-RSA-RootCA" -a > /var/lib/pki/rhcs10-RSA-RootCA/conf/alias/rhcs10-RSA-RootCA.ca.crt
add the issuer to the pki_client_database_dir
#
certutil -A -d ~/.dogtag/rhcs10-RSA-RootCA/certs_db/ -n rhcs10-RSA-RootCA -i /var/lib/pki/rhcs10-RSA-RootCA/conf/alias/rhcs10-RSA-RootCA.ca.crt -t CT,CT,CT
Enter Password or Pin for "NSS Certificate DB":
verify the admin cert chain is valid
#
certutil -O -d ~/.dogtag/rhcs10-RSA-RootCA/certs_db/ -n "PKI Bootstrap Administrator for RSA-RootCA"
"rhcs10-RSA-RootCA" [CN=CA Signing Certificate,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA]
"PKI Bootstrap Administrator for RSA-RootCA" [CN=PKI Administrator,E=caadmin@example.test,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA]
#
certutil -L -d ~/.dogtag/rhcs10-RSA-RootCA/certs_db/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
PKI Bootstrap Administrator for RSA-RootCA u,u,u
rhcs10-RSA-RootCA CT,C,C
finally test the admin cert
pki -U https://test-vm23.testrealm.test:7443/ -d ~/.dogtag/rhcs10-RSA-RootCA/certs_db/ -n "PKI Bootstrap Administrator for RSA-RootCA" ca-user-show caadmin
Enter password for Internal Key Storage Token
--------------
User "caadmin"
--------------
User ID: caadmin
Full name: caadmin
Email: caadmin@example.test
Type: adminType
State: 1

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info: