The submission protocol is a set of XMLRPCs.

All requests go to https://server/ipa/xml.  The server's name is given
in /etc/ipa/ipa.conf.  The client authenticates using negotiate auth,
presumably as a client of the server's realm, which is also named in
/etc/ipa/ipa.conf.

IPA expects all XMLRPCs to include unnamed arguments first, and then a
dictionary (XMLRPC-jargon: "struct") of named arguments, some of which
are optional (i.e., because the server defines a default value for them).

Initial request method = "cert_request".

The unnamed required parameter is the CSR in base64-encoded form, with
all whitespace (including newlines) stripped.

A required named parameter is 'principal', a string-form principal name
for which this certificate will be provisioned.

An optional named parameter is 'add', with default False, controlling
whether or not an entry in the directory should be created for the
principal if no such entry already exists.

An optional named parameter is 'type', with default 'pkcs10', and other
values undefined.  It's possible that 'crmf' would be accepted, too, but
we don't generate that (or not yet, anyway).

Response is a struct with these members:
  status: 0 or 2
Response struct may also contain some of these members:
  subject: issued subject, as a string
  certificate: issued certificate, base64-encoded, no whitespace
  serial_number: "0x..."
  request_id: ???

And John was right: if you have any problems getting those creds for
negotiate, xmlrpc-c will not return.  Not current versions, anyway.
And that includes not having [domain_realm] mappings set up right.

- Based on ipalib/plugins/cert.py from ipa 2.0 branch on 2009111917