I looked at my configuration and the OID was instead of .17.

I copied the configuration example from a bad reference.

Also, the configuration filename I needed to edit was located in two places, and the one I had configured according to that same documentation was not having an effect. I had to modify /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg instead.

Lastly, "service pki-ca start" did not do anything, because there is no service named pki-ca. I had to use "pki-server instance-stop|start pki-tomcat" to get it to start.