I read Fraser's well written post on creating sub-CAs, and successfully got everything to work. I then ran into the same problem Kevin Vasko hit in this thread:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/45CQE3CGG5QFZ5YMRGYJDICB7WWFWAVQ/ 

It seems Debian-based Chrome and Firefox don't implicitly trust the OS root certificate store.

For each Firefox profile (about:profiles), the NSS db is in ~/.mozilla/firefox/<profile>. The certs in this directory can be listed

certutil -d sql:/home/nick/.mozilla/firefox/4sar5x5s.default-release/ -L

On Ubuntu 18.04, after installing and configuring IPA client (# ipa-client-install --mkhomedir), the IPA certificate is listed in the store.

Still, Firefox doesn't trust the IPA server or its trusted hosts. Why???

It's been established that Linux Firefox and Linux Chrome don't trust the OS trusted certificate stores. It seems, with all that comes with assumptions, that Firefox doesn't trust its own profile store, either.

Nick