The "canonical", up-to-date Cert Authority bundle currently provides many root certificates. We grab the Mozilla 'certdata.txt', use the 'certdata2pem.py' script from Red Hat to split that into PEM files, and remove anything that is untrusted (i.e. with anything in the distrust= field), or doesn't explicitly list serverAuth in the openssl-trust field. The result lines up with the linked curl bundle above.
make refresh-certs
to download new certs, clean out those we do not want, and format them for this repomake prepare
to create the cert bundle and keystore that will be installed in puppet-runtime buildsmake install
to copy the already prepared PEM and JKS cert bundles and set permissions on the installed files.make install-fips
instead.configs/components/puppet-ca-bundle.json
file in puppet-runtime with the new version