Digicert/External CA on puppetmaster SSL

[Aditya S]

Hello,

Is there a way for me to generate a CSR to have a puppetserver signed by an external CA like Digicert? I wanted to do the following:

1. Create two master servers, master1.example.de & master2.example.de and create a Load Balancer DNS name master.example.de

2. Generate a CSR for my masters which will signed by Digicert.

3. Import the thus obtained signed certs to the master and have all the agents be signed by master1.example.de and sync the /etc/puppetlabs/puppet/ssl folder to master2.example.de 

I was able to get 1. kinda working by using "server" and "dns_alt_names" in the puppet.conf and verified it by looking at the actual cert but I don't know how to compound it with 2 and 3. 

Please let me know how this can be done

Thanks!

[Aditya S]

Just an addition to the question, can i change the contents of /etc/puppetlabs/puppet/ssl/certs without any issues to the CA that puppetserver creates? Would that be my solution?