I have been exploring the possibilities of using FreeIPA CA as an external Puppet CA with the requirement that Puppet will stay unmodified. Here are some notes: http://www.freeipa.org/page/IPA_as_external_Puppet_CA Thank you, Andrew