Trustbundle must be specified in playbook when using p12Task

[jyppy]

PROBLEM SUMMARY
TPP (v25.3) is using a valid certificate issued by a trusted CA. Playbook with p12Task leveraging client certificate to authenticate to the API fails with:

/vedauth/authorize/verify ": tls: failed to verify certificate: x509: certificate signed by unknown authority"

STEPS TO REPRODUCE
Omit the trustbundle (this file only include the ICA and ROOT) Publicly trusted CAs already in the OS truststore (Replicated in MacOS and Linux)

config:
    connection:
        credentials:
            accessToken: <ACCESS>
            clientId: vcert-cli
            p12Task: apiP12
            refreshToken: <REFRESH>
            scope: certificate:manage
        platform: tpp
#        trustBundle: /home/ec2-user/cas.pem
        url: https://<TPP_FQDN>

EXPECTED RESULTS

2025-12-12T03:23:13.136Z	INFO	vcert/playbook.go:103	running playbook file	{"file": "tpp-aws-p12.yml"}
2025-12-12T03:23:13.136Z	INFO	parser/reader.go:59	playbook successfully parsed
2025-12-12T03:23:13.136Z	INFO	vcert/playbook.go:179	attempting to enable certificate authentication to TPP
2025-12-12T03:23:13.136Z	WARN	vcert/playbook.go:207	unable to read PKCS#12 file	{"file": "/tmp/cert.pfx", "error": "open /tmp/cert.pfx: no such file or directory"}
2025-12-12T03:23:13.136Z	INFO	vcert/playbook.go:133	using Venafi Platform	{"platform": "TPP"}
2025-12-12T03:23:13.186Z	INFO	vcert/playbook.go:146	running playbook task	{"task": "apiP12"}
2025-12-12T03:23:13.186Z	INFO	installer/pkcs12.go:48	checking certificate health	{"format": "PKCS12", "location": "/tmp/cert.pfx"}
2025-12-12T03:23:13.186Z	INFO	service/service.go:60	certificate needs action	{"certificate": "auth-via-p12.cybr.com"}
2025-12-12T03:23:16.264Z	INFO	service/service.go:74	successfully enrolled certificate	{"certificate": "auth-via-p12.cybr.com"}
2025-12-12T03:23:16.264Z	INFO	service/service.go:91	successfully prepared certificate for installation
2025-12-12T03:23:16.264Z	INFO	service/service.go:141	running Installer	{"installer": "PKCS12", "location": "/tmp/jyppy.pfx"}
2025-12-12T03:23:16.268Z	INFO	service/service.go:163	successfully installed certificate	{"location": "/tmp/cert.pfx"}
2025-12-12T03:23:16.268Z	INFO	vcert/playbook.go:159	playbook run finished

ACTUAL RESULTS

Playbook with p12Task leveraging client certificate to authenticate to the API fails with:

/vedauth/authorize/verify ": tls: failed to verify certificate: x509: certificate signed by unknown authority"

ENVIRONMENT DETAILS

vcert v 5.12.2 on Linux (RHEL 9.6) and MacOS (15.7.2)
Same behaviour with both.
No trust issues when using AccessToken

COMMENTS/WORKAROUNDS
create a local file containing the CA Root and ICA certificates and reference it in the playbook.