Option 1: Puppet Server functioning as an intermediate CA
Puppet Server can operate as an intermediate CA to an external root CA.
See Using Puppet Server as an intermediate certificate authority.
Puppet Core | 8.13.0
Puppet Server can operate as an intermediate CA to an external root CA.
See Using Puppet Server as an intermediate certificate authority.