ok got it. I did the kinit to do the update and was able to import the cert and update the
certs collection.
It took several attempts and the above advice to get the right procedure, but to recap,
the steps (near as I can tell) are:
1. Create a PKCS#12 certificate from the server certificate, private key and the chain
containing the CA's cert. I used openssl's pkcs12 command for this.
2. Import the CA's cert with "ipa-cacert-manage"
3. Use ip-server-certinstall to install the certificate bundle thing from step 1. This
depends on step 2, because the CA must be trusted.
4. use "kinit" to get a Kerberos ticket. The argument to this is "admin in
our case", because that's our administrative
5 Use "ipa-certupdate" to update the list of certificates and restart the
services that need restarting.
Thanks for the help!