The problem was definitely the ra-agent.pem. I generated a new one and imported it to
~/.dogtag/nssdb, LDAP and placed the pem and key in /var/lib/ipa/
Now I can verify the certificate with the openssl verify command. Additionally the error
in the UI is gone and running an 'ipa cert-show 1' works and doesn't return
the error I was seeing.
The last piece here is replicating the new certificates to other 5 hosts in the cluster.
Is there a method to do that or should I import the new certs manually on the other hosts?