PKI operation with -n "client_cert" is failing with "UNKNOWN_CA" in FIPS mode

[PsOverflow]

Issue: PKI operation with -n "client_cert" is failing with "UNKNOWN_CA" in FIPS mode

Affected Version:
OS: Fedora-40
Build: @pki/master
dogtag-pki-11.6.0-0.1.alpha1.20240926002826UTC.dc14e3e1.fc40.x86_64

Steps to reproduce:

1. Enable FIPS

# fips-mode-setup --enable

# fips-mode-setup --check
FIPS mode is enabled.
Initramfs fips module is enabled.
The current crypto policy (FIPS) is based on the FIPS policy.

2. Install CA & KRA
3. Perform PKI authenticated operation:

NSSDB:

# certutil -L -d /tmp/test_hifworiv_pki

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI CA Administrator for Example.Org                         u,u,u
PKI KRA Administrator for Example.Org                        u,u,u
RootCA                                                       CT,C,C

Cert request:

# pki -d /tmp/test_hifworiv_pki -c SECret.123 -p 20443 client-cert-request UID=mycert --type crmf
  Request ID: 0x186014da66fe241885e6f036ac7240d6
  Type: enrollment
  Request Status: pending
  Operation Result: success
  Creation Time: Thu Sep 26 03:40:13 EDT 2024
  Modification Time: Thu Sep 26 03:40:13 EDT 2024

Request approve:

# pki -d /tmp/test_hifworiv_pki -c SECret.123 -p 20443 -n 'PKI CA Administrator for Example.Org' ca-cert-request-approve 0x186014da66fe241885e6f036ac7240d6
SEVERE: FATAL: SSL alert received: UNKNOWN_CA
IOException: Unable to read from socket: Error reading from socket: (-12195) Peer does not recognize and trust the CA that issued your certificate.

ca_debug.txt