Title: #526: server install: properly handle PKINIT-related options
No, you are wrong. Certmonger has own local self-signed CA in all installs:
# getcert list-cas
This is what can and should be used for self-signed case for PKINIT.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code