Entitlement certificate not containing all content - #2 by Dirk contains a workaround for this issue. I’ve run the script it links (on el8, need to change the shebang line from tfm-ruby to just ruby), but it seems to detect the problem correctly and looks like it would fix it. I haven’t run the script because I’m working with some other red hatters on more diagnostics.
The repo with the script is here: GitHub - ATIX-AG/orcharhino-scripts: Utility scripts for the orcharhino-server. Might also work on foreman-/katello-servers..
I’ll mark this post as a solution and hopefully we can find something more permanent in candlepin itself.