I did an other test following the above one:

[yi@works4me ipa-cert]$ ipa cert-show 20 --out=
ipa: ERROR: non-public: TypeError: coercing to Unicode: need string or buffer, NoneType found
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 125, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 422, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 729, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 456, in forward
    check_writable_file(options['out'])
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 234, in check_writable_file
    fp = open(filename, 'w')
TypeError: coercing to Unicode: need string or buffer, NoneType found
ipa: ERROR: an internal error has occurred


end user should not see the error trace info at least

https://fedorahosted.org/freeipa/ticket/954

continue play around with it

[yi@works4me ipa-cert]$ ipa cert-show 20 --o
Usage: ipa [global-options] cert-show SERIAL-NUMBER [options]

ipa: error: --out option requires an argument


--o same as --out ?

[yi@works4me ipa-cert]$ ipa user-find --r
--------------
1 user matched
--------------
  uid: admin
  sn: Administrator
  homedirectory: /home/admin
  loginshell: /bin/bash
  nsaccountlock: False
----------------------------
Number of entries returned 1
----------------------------
[yi@works4me ipa-cert]$ ipa user-find --raw
--------------
1 user matched
--------------
  uid: admin
  sn: Administrator
  homedirectory: /home/admin
  loginshell: /bin/bash
  nsaccountlock: False
----------------------------
Number of entries returned 1
----------------------------

[yi@works4me ipa-cert]$ ipa user-find --r --a
--------------
1 user matched
--------------
  dn: uid=admin,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com
  uid: admin
  sn: Administrator
  cn: Administrator
  homedirectory: /home/admin
  gecos: Administrator
  loginshell: /bin/bash
  krbprincipalname: admin.COM
  uidnumber: 455200000
  gidnumber: 455200000
  nsaccountlock: False
  ipauniqueid: 190662f6-2e4f-11e0-ac57-001636ff6d62
  krblastfailedauth: 20110211175312Z
  krblastpwdchange: 20110503221339Z
  krblastsuccessfulauth: 20110211203935Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20110801221339Z
  memberof: cn=admins,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com
  memberof: cn=Replication Administrators,cn=privileges,cn=pbac,dc=sjc,dc=redhat,dc=com
  memberof: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com
  memberof: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com
  memberof: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com
  memberof: cn=Unlock user accounts,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com
  memberof: cn=Manage service keytab,cn=permissions,cn=pbac,dc=sjc,dc=redhat,dc=com
  objectclass: top
  objectclass: person
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: inetuser
  objectclass: ipaobject
----------------------------
Number of entries returned 1
----------------------------


a quick conclusion:
looks like --all same as --a, --raw same as --r, 

and if there is more than one option starts with same letter, we have:

[yi@works4me ipa-cert]$ ipa cert-show 20 --o
Usage: ipa [global-options] cert-show SERIAL-NUMBER [options]

ipa: error: --out option requires an argument

and if there is more than one option starts with same char, we have:


[yi@works4me ipa-cert]$ ipa user-find --p
Usage: ipa [global-options] user-find [CRITERIA] [options]

ipa: error: ambiguous option: --p (--pager, --password, --phone, --postalcode, --principal?)

This last thing, more than one option, is not an error. It is a helpful hint that the command has no idea what you want to do.

master: dab452442d1425332369d00d95be4cd1b460407f