Integrating Foreman with External CA to renew Puppet certificates

I have the following scenario:

  • An infrastructure of almost 200 servers that I want to manage using
    Foreman and Puppet (to manage mainly their configuration not for
  • The need to have a Certificate Authority (CA) that communicates with a
    HardwareSecurityModule (HSM) where the root keys are stored.
  • The need to resolve the problem of managing PKI certificates needed by
    the Puppet Agent in the most automated way possible.

My first thought was to use Puppet CA to solve this problem and take
advantage of the automation of the PKI certificates that the Puppet Agent
uses. The problem is that I did not found any information regarding
accessing an HSM form the Puppet CA.

My second thought is to use an external CA such as FreeIPAs Dogtag service
to communicate with the HSM, but I guess that I wlll loose the automation
PKI certificates request that Puppet CA provides. I think that I could
then use Puppet to regenerate the certificates using FreeIPA but I dont
know if this would become a "chicken and egg problem".

Has someone here face a problem similar to theseā€¦?

  • Solving automation of PKI certificates management using Puppet but
    without Puppet CA.
  • Integrating an HSM with Puppet or Foreman.
  • Integrating Foreman with Dogtag.

I found this blog about FreeIPA and Foreman but I
want to know if someone has more information about similar problems to this.

Thanks in advance