First thing I would try is to use the full path to security and openssl.

/usr/bin/security
/usr/bin/openssl

It probably doesn't work because the EA script is being run as root when a Mac checks in to submit inventory (or submits it at the end of a policy run) whereas when you run your script in Terminal, you're running it as you. Since you aren't specifying a path to the keychain to check, it's trying to look for that cert in the root keychain, which (likely) doesn't exist.

There are a couple of methods of resolving this. You could try including the full path to the user's keychain. For that, you need to get the username, which I assume might be the same as the $username variable in your script, but I'm not certain. Are you getting the username dynamically when the script runs? Like seeing who the main user is on the Mac, or who is logged in? If so, see if including /Users/$username/Library/Keychains/login.keychain at the end works.

Note that this doesn't always work though. In some cases, even the root account can't read some items from a user's keychain. I guess it's a security precaution Apple has included in the OS. It might be fine in this case, but in case it doesn't work, another option is to run the command itself as that user, which usually does work. For that, I tend to rely on the /bin/launchctl asuser syntax, rather than some of the other methods in use.

Do some searches here on that and you should find threads that discuss the method. If you still need help, post back and I can see what might need to be adjusted to make it work.

Using /bin/launchctl asuser didn't work.

The solution turned out to be adding /Users/${username}/Library/Keychains/login.keychain to the end of the security command and using launchctl.

Why it worked on some machines without it and why it broke on some I have no idea. :)

Thanks for the suggestions.