Trouble creating key/CSR through iControl as user with Certificate Manager role

Have you tried the curl call I mentioned? If the curl command had failed, will you share your command and the error message?

If you have specified a key name with path (e.g., /TestFolder/sat.key) without providing the "partition" property and the call using f5-icontrol-rest-python failed, the module might have done something else internally. If the curl call worked but f5-icontrol-rest-python did not, then that's an f5-icontrol-rest-python issue rather than iControl REST issue. The github issues is probably a better place to discuss it.

Generally speaking, when you encounter iControl REST issues using external utilities (python, PowerShell, etc), it is recommended to run equivalent curl calls to check if the problems come from iControl REST itself or the utilities.

Regarding CSR generation, you are right. You cannot create a CSR on a non-Common partition using the key on the non-Common partition (I should have double checked before posting the curl call example) and it is addressed in ID748940.

(LF inserted for readbility sake)
curl -sku $PASS https://$HOST/mgmt/tm/sys/crypto/csr -X POST 
  -H "Content-type: application/json"
  -d '{"name":"/TestFolder/sat.csr", 
       "common-name":"Foo Bar",
       "organization":"Santama",
       "city":"Fuchu",
       "state":"Tokyo",
       "country":"JP",
      "ou":"Finance",
     "key":"/TestFolder/sat.key"}'
{
    "apiError": 26214401,
    "code": 400,
    "errorStack": [],
    "message": "Unable to extract key information from \"/config/filestore/files_d/TestFolder_d/certificate_key_d/:TestFolder:sat.key_164860_1\"to \"/var/system/tmp/tmsh/87WeWu/ssl.key//TestFolder/sat.key\""
}