SmartCards and Freeipa

Hey all,

So a group I work with needed a closed network with no internet access and Linux only environment. Not a hard ask (sort of), and so far we have freeipa up and our users log in with username/password currently. We got issued smart cards to use, but the issuer is an outside entity. In Freeipa I have pulled the certs from my card, added the .pem based format and added them to my user login. Based on Free ipa's recommendations I have made the maping rules based on the issuer, and got the issuer CA certs and used the ipa advise script on both the ipa server and the desktop I use. 

From there, I can get a positive match on both the ipa ui and on the desktop saying it belongs to me. When I log out and put the card it, it does indeed ask for my pin. Once I put it in, all I get is “sorry that did not work, try again”. I cannot seem to figure out what I am doing wrong for the login, though I suspect it has something to do with CRL’s, but to try and get around that for testing I put OCSP as No in free ipa, but the same message comes up. Anyone have any idea what I can check or try to get this part working (before I pound my face against a wall with the CRL side)?