It sounds like you replaced the self-signed certificate, but didn't include pnpserver.domain in the Certificat Signing Request (CSR).  Be sure to follow this doc to generate a new CSR and certificate that includes that url:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

In our lab I have recently replaced the certificate on DNAC with one signed by the internal CA.  I used the GUI to generate the CSR, hit the issue with the CN only being accepted if it was the IPv4 address, but I put the various SAN entries in so it all seems to work.  This then had some knock-on effects that has taken me some time to resolve - ISE integration broke and I had to "sudo maglev-config refresh_certs" on DNAC to get it to accept the certificate from ISE - not sure why this worked, but it did.  We also have a AP1800S-WiFi-Sensor and this hasn't worked since I replaced the DNAC cert.

On the sensor I am getting the error "ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] unknown error: unable to get local issuer certificate (_ssl.c:1123)"  and I am struggling to solve it.  The SAN on the DNAC cert contains all the IPv4 addresses as well as the DNA names, plus a 'pnpserver.<local DNS suffix>'.

I'm not sure what else to try.

EDIT:  I replaced the DNAC system certificate again.  I used the GUI to create the CSR, added the various SAN DNS names including 'pnpserver.<domain suffix>', got it signed by the internal CA.  I then combined the resulting PEM file with the CA root PEM file into a single file and fed it back to DNAC.  DNAC kicked me out due to the new cert.  I logged back in, rebooted the sensor (PoE off/on) and its now gone through the PNP stuff and onboarded.

Its a proper house of cards.