Flo always solves my IPA problems, even with a 4 year old answer :-)
Thanks again for that.
For people searching this later: The problem can be fixed using:
$ getcert list -f /var/kerberos/krb5kdc/kdc.crt (note the request Id) $ getcert resubmit -i <request id> $ getcert list -i <request id>
After that, the kdc.crt is a new one, and this one contains the Subject Alternative Name field.
And web logins immediately work again.