Use of ipa-getcert

Currently using the --request-cert option when enrolling hosts with ipa-client-install

Then using the below:

mkdir /tmp/cert
cp /etc/ipa/nssdb/cert8.db /tmp/cert
cp /etc/ipa/nssdb/key3.db /tmp/cert
cp /etc/ipa/nssdb/pwdfile.txt /tmp/cert
(cd /tmp/cert/ && certutil -L -d . -a -n 'Local IPA host' >> /etc/pki/tls/certs/%= @host.name %>.crt)
(cd /tmp/cert && pk12util -o keys.p12 -n 'Local IPA host' -d . -k pwdfile.txt -w pwdfile.txt)
(cd /tmp/cert/ && openssl pkcs12 -in keys.p12 -out /etc/pki/tls/private/%= @host.name %>.key -nodes -password file:pwdfile.txt -nocerts)

Assume this can be done using ipa-getcert, but not sure how to construct it.

Any help would be much appreicted...