I got it resolved - IPA does not seem to support importing a rechained external CA. It
doesn't seem to have anything to do with ipaCertSubject being unique but it's
something else where there are two different chains for the same external CA.
I was able to ldapdelete the old problematic certs from ldap> etc > ipa >
certificates. And then I was able to successfully run the ipa-advise script for adding the
CA certs. This time ipa-cacert-manage worked without throwing the public key info mismatch
error.
And then I ran ipa-certupdate on all Ipa servers, and clients that required smartcard
auth. And it seemed to work fine for the new certs. Unfortunately, this likely means that
the cards with the old chain will stop working but they are in the small minority and
we'll likely have to get them new cards signed by the external CA with the new chain.
I would like to suggest that the ability to rechain and have two different chains for the
same external CA be added to FreeIPA. It's likely a rare situation but it happens.