It seems that the force certificate renewal is not working on the OCP clusters with FIPS enabled.
Renewal is triggered by strimzi.io/force-replace.
The resources - Kafka, ZK, EO - should do three rolls to renew their certificates, the two rolls are executed without a problem, but the third roll is not completely finished and CO contains errors (the attachment contains the full operator log).

The issue was discovered by test in `SecurityST#testAutoReplaceAllCaKeysTriggeredByAnno`.