Thanks Dinesh,
I misread that argument for ca-cert-request-review is serial number, but as you said it has to be request ID. Indeed, I made progress, and can retrieve renewed Cert:
I also stopped PKI server, removed old cert from NSS database, and installed new one. This is all for ipaCert. But before I start renewing other ones (audit, ocsp, subsystem), I have to ask next
[1] how to properly convert cert (.crt file) into one line?
I believe I need this in order to update below lines in CS.cfg file.
[6] Submit cert request, it's pending
# pki ca-cert-request-submit caManualRenewal.xml
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 89990160
Type: renewal
Request Status: pending
Operation Result: success
[7] This fails with message "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state
# pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve