Integrating Puppet with an External CA to renew Puppet certificates

[Carlos Mata]

I have the following scenario: 

• An infrastructure of almost 200 servers that I want to manage using  Puppet. 
• The need to have a Certificate Authority (CA) that communicates with a  HardwareSecurityModule (HSM) where the CA root key is stored.
• The need to resolve the problem of managing PKI certificates needed by the Puppet Agent in the most automated way possible.

My first thought was to use Puppet CA to solve this problem and take advantage of the automation of the PKI certificates that the Puppet Agent uses. The problem is that I did not found any information regarding accessing an HSM form the Puppet CA.

My second thought is to use an external CA such as FreeIPAs Dogtag service to communicate with the HSM, but I guess that I wlll loose the automation PKI certificates request that Puppet CA provides.  I think that I could then use Puppet to regenerate the certificates using FreeIPA but I dont know if this would become a "chicken and egg problem".

Has someone here face a problem similar to these...?

• Solving automation of PKI certificates management using Puppet but without Puppet CA.
• Integrating an HSM with Puppet or Foreman.
• Puppet with Dogtag.

Thanks in advance

Carlos