In a Puppet Enterprise installation, the certificate authority portion of compile masters is fairly easy to solve. Puppet Enterprise uses separate node groups for a CA and compile master. By adding additional compile masters to the PE Master classification group, each master is configured to use the centralized certificate authority on the Master of Masters.

In Puppet open source, we'll need to disable the certificate authority on each of our compile masters using Trapperkeeper. You can simply open /etc/puppetlabs/puppetserver/services.d/ca.cfg and comment out the line puppetlabs.services.ca.certificate-authority-service/certificate-authority-service and uncomment #puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service. Finally, you'll need each agent in your infrastructure (including the compile masters) to add the ca_server setting into the [main] section of the puppet.conf, pointing at the Master of Masters. Note that this requires network connectivity over the CA port to the Master of Masters, which by default is 8140, but can be toggled with the ca_port setting.

The final goal of this setup is that each compile master has a DNS alt name, and every agent is connecting to the master via that DNS alt name, while using the Master of Master as the certificate authority for all nodes.