EL8 Handling of CA Certificate

Has anyone run into issues with EL8 (CentOS 8, Oracle Linux 8, RHEL 8, etc.) handling of the Foreman CA Certificate?

I’m installing a test Katello Smart Proxy on a new EL8 system and ran into issues with the Smart Proxy being unable to communicate back to the Foreman host. When I test the CA Certifcate using OpenSSL I get a verification error about a self-signed certificate in the certificate chain.

If I take the generated katello-server-ca.crt file and place it on any EL7 system and use an openssl s_client session to check connectivity against the Foreman servere, it works. If I take that same generated CA file and place it on any EL8 system and use the same openssl s_client command, I get the validation error.

Now if I use any of the bundle certs (i.e. /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem) it works, but not the individual katello generated CA certificate.

It’s a weird issue, and I’ve been pulling what little hair I have left out trying to figure out if I missed a step somewhere.