Client does not recognize private CA with self signed certificate

I've been trying to upgrade internal APIs to use HTTPS instead of HTTP. Going back to HTTP is not an option due to Javascript needing permission to send credentials in its fetch call (just setting the HttpOnly flag to false on the cookie isn't enough and CORS doesn't allow credential sending to a different domain without HTTPS).

For whatever reason, whenever a client on the internal network tries to query an API via HTTPS I get a self-signed certificate error regardless of if the CA's certificate has been appended to the trusted CA store on the client.

To create the certificate for the server I took the following actions:

• created a CA with openssl using the command openssl genrsa -aes256 -out ca.key 4096
• created a CA certificate that can be added to a client's trusted ca store with the command openssl req -x509 -new -nodes -key ca.key -sha256 -days <days> -out ca.crt
• created a certificate signing request for the internal domain and a private key for the server via openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server.key
• created a .v3.ext file to add subjective alternative names to the server's certificate
• signed the CSR with the CA key and certificate via openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <days> -sha256 -extfile server.v3.ext to obtain the server certificate

I'm running a flask server so I used server.key and server.crt for the ssl_context and then appended the CA's certificate, ca.crt, to the trusted ca-store on the client. I used both curl (with and without the --cacert option) and node's fetch API to query the server which is when I get the self-signed certificate error.

I have also tried just making a self-signed certificate for the server, using the server's key and certificate for the ssl_context, and then appended the server's certificate into the trusted ca-store. This approach yielded the same result.

I don't know why the client doesn't use the CA's certificate - does it not see it? Should I not be appending the certificate to the trusted ca-store, and instead something else?