cergen is currently only installed on puppetmaster1001 by means of the cergen Puppet class. Even building cergen for Buster proved to be challenging back then, as it needs python-networkx 1 and even back then needed python3-lib2to3 (https://phabricator.wikimedia.org/T235405)
There are curently 47 services defined in certificate.manifests.d which use the Puppet 5 CA (authority: puppet_ca), we should probably just fix forward and move them all to the PKI/cfssl (some might also no longer be in use and just need cleaning up):
[] analytics_http_ui.certs.yaml
[] aphlict.certs.yaml
[] apt-staging.certs.yaml
[] chartmuseum.certs.yaml
[] config-master.certs.yaml (config-master.w.o uses cfssl starting with https://github.com/wikimedia/operations-puppet/commit/131906b285e54518cbed24937ca84228e593d7f4, but cert still in use for Puppet master frontends (and will be phased out along with it))
[] contint.certs.yaml
[] debmonitor.certs.yaml
[] doc.certs.yaml
[] docker_registry.certs.yaml
[] _etcd-server-ssl._tcp.v3.certs.yaml T352245
[] etcd-v3.certs.yaml T352245
[] etcd-v3-eqiad.certs.yaml T352245
[] etherpad.certs.yaml
[] grafana.certs.yaml
[] grafana_labs.certs.yaml
[] graphite.certs.yaml
[] kafka_fundraising_client.certs.yaml
[] kafka_test.certs.yaml
[] kartotherian.certs.yaml
[] kibana.certs.yaml
[] labweb.certs.yaml
[] mediawiki.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube)
[] mwmaint.certs.yaml (used by noc.w.o which is already on wikikube, should be just a cleanup)
[] parsoid.certs.yaml (will be obsoleted when all legacy deployments are moved to wikikube)
[] peopleweb.certs.yaml
[] performance.certs.yaml
[] phabricator.certs.yaml
[] planet.certs.yaml
[] prometheus.certs.yaml
[] puppet_ca.certs.yaml
[] purged.certs.yaml
[] releases.certs.yaml
[] relforge.certs.yaml
[] restbase.certs.yaml
[] rt.certs.yaml
[] schema.certs.yaml
[] search.certs.yaml
[] swift.certs.yaml
[] testreduce.certs.yaml
[] thanos-query.certs.yaml
[] ticket.certs.yaml
[] ticket-test.certs.yaml
[] wcqs.certs.yaml
[] wdqs.certs.yaml
[] wdqs-internal.certs.yaml
[] webperf.certs.yaml
[] webserver_misc_apps.certs.yaml