[Freeipa-users] SubCA for firewall appliance (CertProcessor: no profile policy set found)

Trying to follow and adapt https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi... for issuing a Subordinate CA for a firewall appliance. For user VPN certs and testing SSL Interception. When I try to issue the certificate I get the following error: ipa-admin@jmp0:~$ ipa cert-request ~/cert_FreeIPA_SubCA.csr --principal host/subca-fw01.domain.local --profile SubCA --certificate-out subca-fw01.pem ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Unable to create enrollment request: Policy Set Not Found But the certprofile exists and I'm not sure what a `Policy Set` is... ipa-admin@ipa1:~$ ipa certprofile-show SubCA Profile ID: SubCA Profile description: Subordinate CA Store issued certificates: True ipa-admin@ipa1:~$ ipa caacl-show SubCA ACL name: SubCA Description: Subordinate CA Enabled: True Service category: all CAs: ipa Profiles: SubCA Users: ipa-admin Hosts: fw01.domain.local, jmp0.domain.local, subca-fw01.domain.local # /var/log/pki/pki-tomcat/ca/debug.2023-05-01.log 2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: CertProcessor: no profile policy set found 2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: Unable to create enrollment request: Policy Set Not Found # /var/log/httpd/error_log [Tue May 02 01:20:24.946972 2023] [wsgi:error] [pid 406021:tid 406343] [remote 192.168.10.12:42596] ipa: INFO: [jsonserver_kerb] ipa-admin(a)IPA.LOCAL: cert_request/1('-----BEGIN CERTIFICATE REQUEST-----\\*********************=\\n-----END CERTIFICATE REQUEST-----\\n', profile_id='SubCA', principal='host/subca-fw01.domain.local', version='2.245'): HTTPRequestError Please ignore the different timestamps, they're various attempts all with the same log messages.