agreed with @Andrew to split this out from the parent task because it's a special case.
all other certs are used for either https or ldaps which we can both monitor with the same puppet abstractions for icinga,
but here the cert is used by openstack nova. i portscanned that a bit and tried to connect on any of the open ports but i just got
"unknown protocol" errors when trying to speak SSL/TLS to them.
@ArielGlenn found out it's using the cert for sasl auth and the releveant config is in libvirtd.conf
<apergos> /etc/libvirt/libvirtd.conf read that...
<apergos> auth_tcp = "sasl"