So, this is the best I can do:
Ok, here we go, how to configure an "in the middle" puppetmaster.
Eg.
```
Puppetmaster (CA) - server-A
Puppetmaster & Agent (to server-A) - server B
Agent (to server-B) - server-C
```
On server-B:
`service puppet stop`
`service puppetserver stop`
`vi /etc/puppetlabs/puppet/ssl/crls.pem` - new file:
```
-----BEGIN X509 CRL-----
Content from /etc/puppetlabs/puppet/ssl/crl.pem - on server-b
-----END X509 CRL-----
-----BEGIN X509 CRL-----
Content from /etc/puppetlabs/puppetserver/ca/ca_crl.pem - on server-a
-----END X509 CRL-----
```
`vi /etc/puppetlabs/puppet/ssl/certs/ca_bundle.pem` - new file:
```
-----BEGIN CERTIFICATE-----
Content from /etc/puppetlabs/puppet/ssl/certs/ca.pem - on server-b
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Content from /etc/puppetlabs/puppetserver/ca/ca_crt.pem - on server-a
-----END CERTIFICATE-----
-----BEGIN PUBLIC KEY-----
Content from /etc/puppetlabs/puppetserver/ca/ca_pub.pem - on server-a
-----END PUBLIC KEY-----
```
`cp /etc/puppetlabs/puppet/ssl/certs/server-b.pem /etc/puppetlabs/puppet/ssl/public_keys/server-b.pem`
```
Note. not sure if that last cp is right, and not sure if you also need to copy:
/etc/puppetlabs/puppetserver/ca/ca_key.pem - from server-a
to
/etc/puppetlabs/puppet/ssl/private_keys/server-a.pem - on server-b
```
Then run:
`mv /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem.bak`
`mv /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/crl.pem.bak`
`mv /etc/puppetlabs/puppet/ssl/certs/server-b.pem /etc/puppetlabs/puppet/ssl/certs/server-b.pem.bak`
And then the import:
```
puppetserver ca import --config /etc/puppetlabs/puppet/puppet.conf --private-key /etc/puppetlabs/puppet/ssl/private_keys/server-b.pem --crl-chain /etc/puppetlabs/puppet/ssl/crls.pem --cert-bundle /etc/puppetlabs/puppet/ssl/certs/ca_bundle.pem
```
Then copy back the originals:
`mv /etc/puppetlabs/puppet/ssl/certs/ca.pem.bak /etc/puppetlabs/puppet/ssl/certs/ca.pem`
`mv /etc/puppetlabs/puppet/ssl/crl.pem.bak /etc/puppetlabs/puppet/ssl/crl.pem`
`mv /etc/puppetlabs/puppet/ssl/certs/server-b.pem.bak /etc/puppetlabs/puppet/ssl/certs/server-b.pem`
You should then be able to successfully run:
`puppet agent -t`
You can then start the puppetserver:
`service puppetserver start`
And should be able to again run:
`puppet agent -t`
You "sub"-agents (eg. server-c) should now "just work" - provided they are signed against the ca of server-a...
Regardless, just run from server-c:
`puppet agent -t`