NSS is generally fine with different certificates and the same subject and treats them as the same nickname. Some applications don't like it though so certmonger will remove duplicate certificates when adding a new one.

This only happened in the token that the tracking request defined.

When using a token, the certificate is also in the default token in order to store the NSS trust values.

This was discovered while renewing the IPA KRA audit certificate where the KRA failed to start. The KRA certificate appeared twice in the database, once without trust.

It was incorrectly diagnosed as merely a duplicate problem. Code needs to be added to remove the duplicate, but it is also a bug in IPA where during renewal the IPA-provided renew_ca_cert does not set ,,P trust on the audit certificate. That was the root cause of the startup failure. The trust issue is tracked in freeipa upstream https://pagure.io/freeipa/issue/9353