After deploying the Apache CRL check setting to address T184444 several hosts have been found in an unusual state where:
- a signed certificate is present on the agent/server and...
- the certificate has not been revoked but...
- the signed certificate is not present on the puppet master
Normally this could be addressed simply by generating and signing new certificates, but this is complicated by the fact that systems are exposing (via base::expose_puppet_certs) their puppet certificates for use in other applications.
Below are systems exposing their puppet cert/key for use in other applications. Let's review each for impact and potential issues before proceeding with generating/signing new puppet certs.
(check off after new puppet cert has been generated and signed)