I know this is an old thread but I'm just posting this for someone who comes along the same issue like me...
In order to fix my problem I had to do the following to fix for example the 'ocspSigningCert cert-pki-ca' certificate renewing with wrong subjects:
Find the Serial number for that certificate: #certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Serial
Get the reqeustID: #ldapsearch -D "cn=Directory Manager" -W -s sub -b cn={SERIALNUMBER},ou=certificateRepository,ou=ca,o=ipaca "metaInfo"
Get the request data: #ldapsearch -D "cn=Directory Manager" -W -s sub -b cn={REQUESTID},ou=ca,ou=requests,o=ipaca
If the request data does not match the current certificate, we need to find one which should be used instead. #certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Subject #ldapsearch -D "cn=Directory Manager" -W -s sub -b ou=ca,ou=requests,o=ipaca "extdata-req--005fsubject--005fname--002ecn={SUBJECT}"
If we have multiple results check the one which has the right attributes set comparing to a different system. Once you know which request to use change the requestid in the certificateRepository to the one selected. I used ldapadmin to connect to change but the ldapmodify should also work.
Hope this helps someone in the future...