Sorry, I've figured it out myself...
The problem was not with the Root CA certificate, the reported error is misleading here.
Actually, the problem was with the certificate generated for the FreeIPA itself.
It had CA:FALSE, because I forgot to select the right extension profile when signing it
with my openssl "pseudo-CA".
I've reissued the certificate for FreeIPA with "CA:TRUE" - and it accepted
it.