For enrolling a client certificate in the browser, this is a valid RFE, although
in practice certificate authn in browsers is not common and not important
for most users of FreeIPA (at this time).

But for other use cases, there is still the necessary step of exporting the
certificate+key from the browser and importing it wherever it is needed for
the 802.1x auth, VPN auth, or whatever the non-browser use case is. So it
is not as straightforward as you make out, and I'm not sure how much
value there is.

Feel free to comment further on what sort of workflow you want for the
non-browser use cases.

Non-browser use cases are going to be less straightforward no matter what it is. I was planning on me or someone I work with providing the patch for this.

Very well - thank you! If it solves an important use case for you, we are open to that. freeipa-devel@lists.fedorahosted.org is the place to go to discuss any implementation details, and the way to get your patch reviewed is to open a Pull Request on GitHub freeipa/freeipa.

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.