If the SP machine is enrolled as an IPA client then it should be able to get a certificate from the IPA CA if the service is pre-created.
Add an option to at least try.
This would need a call to ipa service-show HTTP/hostname to see if the service exists. If it does then have certmonger get one.
If we want to get really fancy the client installer could prompt to continue or not. If continue (or we don't ask) then it would generate a self-signed cert like it does today.
milestone: => Backlog
Metadata Update from @nkinder:
- Issue set to the milestone: Backlog
to comment on this ticket.