IPA currently uses RPC calls, a mix of XML and JSON. to communicate with the CA for things like certificate issuance, revocation, search, etc. This reduces the flexibility of the PKI team to modify their REST and XML APIs, or drop one completely.

PKI provides a python API used by their own clients which hides this complexity. IPA should also utilize this.

The KRA calls within IPA already use a similar API.

This will need to retain flexibility to work with older servers as when migrating from one major release to another there may be differing versions of PKI running simultaneously. So a fallback to an older API will be necessary. This needs to be handled by the python API.

See https://issues.redhat.com/browse/IDM-1313