We'll need to rollover the Puppet CA mostly to switch to 2k certs and unblock general usage of host certs for high traffic applications. Open questions:
- is there a smarter way for CA rollover and how to do it?
- details needed on how puppet manages the CA
- puppet management of the CA, how much is it embedded?
- can puppet generate/add SANs