this is something @Chris_Duryee and I were trying to do the other day too, and we ended up setting ca_server on each client to puppetserver1, as the ca_proxy feature of theforeman-puppet only works for Puppet masters running inside Passenger, not as a standalone Puppetserver.
Ya, if you are using the older Passenger puppetserver, you can add proxypass rules to your httpd to send the CA request to a different server (in your case server 2 would proxypass to server 1) and do SSL termination in httpd. However, you may need to set “allow-header-cert-info” on your signing server which is a security risk, since you are sending requests from server 2 to server 1 (not client to server 1), and server 1 has to honor those requests. This may or may not be OK in your environment.
A less complex option is to use “ca_server” and “ca_port” on your clients. This lets the clients reach out to server 1 for their certs, and then either server 1 or server 2 for checkins. This is the recommended method in the puppetlabs scaling doc . You can also set an SRV record which basically does the same thing, but puts the configuration in DNS instead of on the client filesystem.