This is exactly the use case, I require in my scenario. I must have several
Puppet CAs, each acting as intermediate CA that has an individual CA
certificate signed by a single root CA. Each intermediate CA signes the certificates of some puppet agents. I have created a small picture to show you how the scenario should look like.The root puppetmaster acts as a bootstrapping node that should set up different nodes as puppetmaster when someone assignes the puppetmaster role to this new node.