I'm guessing the complete lack of a response does not bode well for this
idea...

Ideally, I'd rather not manage an external CA at all; existing use cases
are service certificates and a handful of user or device-specific client
certs. I've been digging into the sub-CA support a bit more, and it might
be possible to cover everything within FreeIPA, possibly adding
otherwise-unused principals as needed.

The lingering question, then: what to do with the existing CA?

I've found a few threads suggesting it may be possible to wedge an
existing cert/key into a new IPA instance at install time, but they're all
light on specifics. Any other ideas for a smooth transition from this CA
to one entirely owned by FreeIPA, maybe within 3 years or so? ;)

-Rob

Hello Rob,
FreeIPA can be deployed in environment with existing DNS and/or CA server.
IIRC you have following options:
- regarding DNS:
-- Delegate DNS zone for FreeIPA. It will then manage the zone and add records
there. Obviously, it will not add records for clients in other zones.

-- Don't setup DNS in FreeIPA and keep managing all records in your current DNS
server. There's plan to integrate with external DNS servers [1] but nothing was
done yet.

- regarding CA:
-- install CA-less FreeIPA - you need to issue certificates for HTTPD and 389-DS
with your certificate server and provide those when installing FreeIPA server

-- install FreeIPA with CA certificate signed with external CA. Use
--external-ca option. The installation will be interupted to let you sign
generated CSR. FreeIPA will then issue all needed certificates.

-- install FreeIPA with self-signed CA certificate. This is default but then
you need to distribute the certificate to all clients.

Certmonger [2] is configured during ipa-server-install to track and renew
certificates.

[1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer
[2] https://pagure.io/certmonger