No I didn't go back in time, I generated new certificates and imported them to NSS DB after deleting the ones that contained Principles that had other hosts listed. I then updated the CS.cfg with the cert and certreq values, and made sure the CA Subsystem cert in NSS DB matched what is in LDAP.
I'm not sure what logs to look at. /etc/pki/pki-tomcat/ca/selftest has no errors /etc/pki/pki-tomcat/ca/system has the last error from before I got ipa to fully start. The debug log has a lot of information, but nothing that looks like an error.
I've got no expired certs
# getcert list | grep expires expires: 2025-01-26 11:37:18 UTC expires: 2025-01-26 11:37:04 UTC expires: 2026-03-12 13:24:44 UTC expires: 2034-04-01 11:38:26 UTC expires: 2034-04-01 11:32:48 UTC expires: 2034-04-01 11:35:47 UTC expires: 2037-03-21 04:43:44 UTC expires: 2024-12-24 11:37:06 UTC expires: 2025-01-26 11:41:35 UTC
Trust attributes all look correct in /etc/pki/pki-tomcat/alias # certutil -L -d .
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu
Certmonger tracking shows correct now with the Subject having the CN and O in the correct order.