Thanks for your help. I ended up uninstalling and reinstalling all clients and saw the new CA certificates during the process. But the ISSUE/NEEDED_PREAUTH messages remain - is that normal?
Any idea how I can fix my other problem, that of not being able to login to the admin interface? In the apache server log I see
[Tue Apr 21 13:50:50.888429 2020] [wsgi:error] [pid 28066:tid 140524982961920] [remote X:51978] ipa: INFO: 401 Unauthorized: HTTPSConnectionPool(host='Xipa', port=443): Max retries exceeded with url: /session/cookie (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fce86b4c310>: Failed to establish a new connection: [Errno -2] Name or service not known'))
Note that, for some reason, "ipa" is added to the hostname which, of course, results in a host not found error.