Thanks Rob! New certs are all replicated and all IPA services are started on all 6 servers. I can perform 'ipa cert-show 1' on all 6 and get the expected result.
As a sanity check I did run the ipa-healthcheck on all 6 servers. One of them came back fine, the other 5 returned
[ { "source": "ipahealthcheck.ipa.dna", "kw": { "msg": "No DNA range defined. If no masters define a range then users and groups cannot be created.", "range_start": 0, "next_start": 0, "next_max": 0, "range_max": 0 }, "uuid": "70636197-0b3e-4424-b509-1aa7f8be084d", "duration": "0.706384", "when": "20240405170045Z", "check": "IPADNARangeCheck", "result": "WARNING" } ]
Now it's just a WARNING, and since the one didn't return it (they're all denoted as MASTER) maybe it's okay?