I've marked the PKI hosts in https://wikitech.wikimedia.org/wiki/News/Cloud_VPS_2024_Purge as "In Use" since deployment-prep and other projects rely on them to issue TLS certs.
The nodes should be upgraded to Bullseye or Bookworm, but I am not 100% sure what would be the best procedure to follow.