Using the FIPS configuration on the Utimaco HSM is failing because something is using PSS where most of the rest is using PKCS# v1.5. The HSM requires that one pick a signature method and stick to it.

Marco reported success using PSS when installing PKI.

The IPA RA certificate is issued by certmonger during the installation and it only uses PKCS# v1.5. There is no direct support for PSS in certmonger (on the to-do list in STATUS).