diff --git a/.github/workflows/ipa-subca-test.yml b/.github/workflows/ipa-subca-test.yml
index 438d54e1ce2..808cb7f82c4 100644
--- a/.github/workflows/ipa-subca-test.yml
+++ b/.github/workflows/ipa-subca-test.yml
@@ -96,11 +96,16 @@ jobs:
           docker exec ipa pki nss-cert-import \
               --cert root-ca_signing.crt \
               --trust CT,C,C \
+              root-ca_signing
+
+          docker exec ipa pki nss-cert-import \
+              --cert ipa.crt \
               ca_signing
 
           docker exec ipa pki pkcs12-import \
               --pkcs12 /root/ca-agent.p12 \
               --pkcs12-password Secret.123
+
           docker exec ipa pki -n ipa-ca-agent ca-user-show admin
 
       - name: Check lightweight CAs
diff --git a/.github/workflows/subca-basic-test.yml b/.github/workflows/subca-basic-test.yml
index 8accb955898..4b9e9fbd4be 100644
--- a/.github/workflows/subca-basic-test.yml
+++ b/.github/workflows/subca-basic-test.yml
@@ -172,11 +172,16 @@ jobs:
           docker exec subordinate pki nss-cert-import \
               --cert $SHARED/root-ca_signing.crt \
               --trust CT,C,C \
+              root-ca_signing
+
+          docker exec subordinate pki nss-cert-import \
+              --cert ca_signing.crt \
               ca_signing
 
           docker exec subordinate pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin
 
       - name: Check cert requests in subordinate CA
diff --git a/.github/workflows/subca-clone-hsm-test.yml b/.github/workflows/subca-clone-hsm-test.yml
index a62cf72c68d..1013a175247 100644
--- a/.github/workflows/subca-clone-hsm-test.yml
+++ b/.github/workflows/subca-clone-hsm-test.yml
@@ -283,6 +283,7 @@ jobs:
           docker exec primary-subca pki pkcs12-import \
               --pkcs12 $SHARED/caadmin.p12 \
               --pkcs12-password Secret.123
+
           docker exec primary-subca pki -n caadmin ca-user-show caadmin
 
       - name: Set up secondary DS container
diff --git a/.github/workflows/subca-clone-test.yml b/.github/workflows/subca-clone-test.yml
index 86d7ba1dff2..7a71ccbca44 100644
--- a/.github/workflows/subca-clone-test.yml
+++ b/.github/workflows/subca-clone-test.yml
@@ -116,9 +116,14 @@ jobs:
               --trust CT,C,C \
               root-ca_signing
 
+          docker exec primary-subca pki nss-cert-import \
+              --cert $SHARED/subca_signing.crt \
+              ca_signing
+
           docker exec primary-subca pki pkcs12-import \
               --pkcs12 $SHARED/caadmin.p12 \
               --pkcs12-password Secret.123
+
           docker exec primary-subca pki -n caadmin ca-user-show caadmin
 
       - name: Export primary sub-CA certs
@@ -246,9 +251,14 @@ jobs:
               --trust CT,C,C \
               root-ca_signing
 
+          docker exec secondary-subca pki nss-cert-import \
+              --cert $SHARED/subca_signing.crt \
+              ca_signing
+
           docker exec secondary-subca pki pkcs12-import \
               --pkcs12 $SHARED/caadmin.p12 \
               --pkcs12-password Secret.123
+
           docker exec secondary-subca pki -n caadmin ca-user-show caadmin
 
       - name: Check users in primary sub-CA and secondary sub-CA
diff --git a/.github/workflows/subca-cmc-test.yml b/.github/workflows/subca-cmc-test.yml
index 7f1711310b3..f67c147c841 100644
--- a/.github/workflows/subca-cmc-test.yml
+++ b/.github/workflows/subca-cmc-test.yml
@@ -187,10 +187,19 @@ jobs:
 
       - name: Verify subordinate CA admin cert
         run: |
-          docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b
+          docker exec subordinate pki nss-cert-import \
+              --cert $SHARED/root-ca_signing.crt \
+              --trust CT,C,C \
+              root-ca_signing
+
+          docker exec subordinate pki nss-cert-import \
+              --cert ca_signing.crt \
+              ca_signing
+
           docker exec subordinate pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec subordinate pki -n caadmin ca-user-show caadmin
 
       - name: Check cert requests in subordinate CA
diff --git a/.github/workflows/subca-external-test.yml b/.github/workflows/subca-external-test.yml
index 6d58655f18a..1c34c71f1b6 100644
--- a/.github/workflows/subca-external-test.yml
+++ b/.github/workflows/subca-external-test.yml
@@ -117,11 +117,16 @@ jobs:
           docker exec pki pki nss-cert-import \
               --cert root-ca_signing.crt \
               --trust CT,C,C \
+              root-ca_signing
+
+          docker exec pki pki nss-cert-import \
+              --cert ca_signing.crt \
               ca_signing
 
           docker exec pki pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec pki pki -n caadmin ca-user-show caadmin
 
       - name: Check cert requests in CA
diff --git a/.github/workflows/subca-hsm-test.yml b/.github/workflows/subca-hsm-test.yml
index 86bb3d6fcff..71b2b33cbd1 100644
--- a/.github/workflows/subca-hsm-test.yml
+++ b/.github/workflows/subca-hsm-test.yml
@@ -272,6 +272,7 @@ jobs:
           docker exec pki pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec pki pki -n caadmin ca-user-show caadmin
 
       - name: Check CA certs and requests