Description of problem:
I'd like the ability to to set pathlen on subcas. I can also imagine use cases where I'd want to set Validity lengths or NameConstraints differently on per sub-ca basis.
My thought is it would be cool if ipa ca-add supported a --profile-id in the same way ipa cert-request does. It would default to some profile you ship similar to caIPAserviceCert. If I wanted something else I could easily download, edit and upload the custom profile, then tell ca-add to use it.
Version-Release number of selected component (if applicable):
Steps to Reproduce: