Thanks! Setting requiredSecret in /etc/pki/pki-tomcat/server.xml equal to secret improved things a little bit!
# ipa-healthcheck --severity ERROR [ { "source": "ipahealthcheck.ipa.certs", "check": "IPADogtagCertsMatchCheck", "result": "ERROR", "uuid": "7336ec84-03c6-4ddf-adb2-1070159fbaf8", "when": "20220825123343Z", "duration": "0.081966", "kw": { "key": "caSigningCert cert-pki-ca", "nickname": "caSigningCert cert-pki-ca", "dbdir": "/etc/pki/pki-tomcat/alias", "msg": "{nickname} certificate in NSS DB {dbdir} does not match entry in LDAP" } }, { "source": "pki.server.healthcheck.meta.csconfig", "check": "CADogtagCertsConfigCheck", "result": "ERROR", "uuid": "4972c614-31d5-4472-8de7-b0cc522e2db6", "when": "20220825123359Z", "duration": "0.156108", "kw": { "key": "ca_signing", "nickname": "caSigningCert cert-pki-ca", "directive": "ca.signing.cert", "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" } } ]