I'm sure this could be polished, but here is the procedure and script I've used to handle this scenario (detection of duplicate CFEngine keys) in an enterprise-scale environment:
Put the following into a file called "detect_duplicate_keys.sh" on the CFEngine hub:
#!/bin/sh
# Author: unknown
tmpfile=/tmp/keys
while sleep 10
do
mv -f "$tmpfile"2 "$tmpfile"1
cf-key -s |
sed -n 's/^Incoming *\([0-9.]*\).*\(\(SHA\|MD5\)=[0-9a-f]*\)$/\1\t\2/p' |
sort -k2 > "$tmpfile"2
printf '%s: Number of Incoming hosts: %s Diff from previous:\n' "$(date)" "$(cat "$tmpfile"2 | wc -l)"
diff "$tmpfile"1 "$tmpfile"2
done
Then, run the script with "nohup ./detect_duplicate_keys.sh &" for about an hour (you can do less, it's up to you). Make sure the "keys1" and "keys2" files aren't still sitting in /tmp from a previous run of the script, first. And also ensure "nohup.out" isn't already present in the current directory beforehand (because that's what you'll be appending to).
Run "sed -n 's/^> //p;s/^< //p' nohup.out | sort -u" after the script has been running a while. You'll see a list of the unique IP addresses with duplicate CFEngine keys. These are the hosts on which you need to wipe and reinstall CFEngine (or you could muck around with removing the existing key and regenerating a key on each of those hosts, but I wouldn't bother, personally).
Disclaimer: I may have made a typo in transcribing this; it wasn't copy-and-pasted. However, if it works at all, it will work. :) (In other words if I haven't made a dumb typo that stops it from even running, then it will work as intended and as it did for me.)
Best,
--Mike Weilgart
Vertical Sysadmin, Inc.