Yes, the freeIPA project is intended as a CA, but it should acknowledge the web of trust from ca-certificates. Or not, I think the LetsEncrypt team here have certainly weighed in how they feel about certificates, I eagerly await the FreeIPA teams response here:
But, I also acknowledge that you are correct, if you were using FreeIPA to be authoritative over your infrastructure it probably belongs behind the firewall with your own CA. However, I am building a publicly available demo, and I would prefer not to require users to install CA certificates in this case.