It looks like this certificate is being generated by software written against a more recent version of the OPC UA spec, which now definitively states that for a self-signed certificate the cA bit of the BasicConstraints extension shall be set to false, with true being accepted for backwards compatibility as long as the pathLength constraint is 0.
Unfortunately Ignition is still looking for the cA bit to be true instead. We'll have to update this validation in a future version.
However, under these new rules, all self-signed certificates must have the keyCertSign KeyUsage bit set, so even if we were up to date on the validation rules it would still fail.
For now you'll just have to leave the validation disabled.