Sorry I guess I got confused on this. There would be still the key of the FreeIPA internal
CA Certificate which was signed by the external CA and this can be used for issuing
certificates. However as far as I understood, there can only be one externally signed CA
certificate - the one handled during the installation via --external-ca. Correct?