yes, it works by having SSL client authentication for an "agent" user, or LDAP basic authentication (without or with a pre-defined pin), or CMC:
example for SSL server cert, look at the profile caAgentServerCert.cfg
example for SSL server cert using CMC, see
for end user cert, examples with caDirPinUserCert.cfg , caDirUserCert.cfg
from the pki command line with LDAP basic authentication , look for the command cert-request-submit with the --username
either
pki cert-request-submit --help
or
pki ca-cert-request-submit --help
see