Hi! I’ve been redirected here from the flatpak/README.md - if this is the wrong place for such a question, feel free to redirect me somewhere else 
I’m currently preparing a flatpak application that uses a library that in turn makes use of OpenSSL for TLS connections. The application itself should be able to present a users client certificate that is - alongside the domain CA and server certificates - available on the host thru FreeIPA.
First problem I’m running in is openssl s_client -connect somwhere.internal.net:https on the host or in a toolbox works fine. If I run this command inside a flatpak, it prints some TLS information, but it is not able to trust/verify the first certificate in the chain. So something from the host is not 100% available in the flatpak.
Second problem: Instead of extracting the certificates to a file that is readable by the flatpak and used from the filesystem, I’d like to directly use the client certificates (i.e. the p11kit-proxy from ipa or a security key) in OpenSSL. How can I achieve this?
I found some lengthy discussions in the flatpak issue tracker, but it was a bit too pkcs-whatever-technical for me to understand it properly. It “looks” like flatpak is configured to use some nssdb p11kit socket mechanism in combination of an openssl configuration to transport the host certificates to the sandbox.
If so - what is needed to make it work properly? Is there some documentation where I can learn from, or could someone explain on an API-user level what I need to do there?
Thanks!