IMHO it would be a nice and useful feature for this role to support [RFC8555](https://www.rfc-editor.org/rfc/rfc8555)-compliant CAs like Let's Encrypt. With this feature users who don't have a Free IPA CA could request valid X.509 domain certificates. What do you think about this proposal?
