I think the customer read this from our manual:

"Alternatively, the IPA server can use a certificate issued by an external CA. This can be a corporate CA or a third-party CA like Verisign or Thawte. As with a normal setup process, using an external CA still uses a Dogtag Certificate System instance for the IPA server for issuing all of its client and replica certificates; the initial CA certificate is simply issued by a different CA.
When using an external CA, there are two additional steps that must be performed: submit the generated certificate request to the external CA and then load the CA certificate and issued server certificate to complete the setup. "

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/creating-server.html#install-ca-options

This is possible right? Maybe they misunderstood "external certificate" with "IPA without PKI". 


Suggestion: reword to talk about external "root" certificate and make the general wording a bit clearer to avoid the confusion.