Configure theforeman/puppet & puppetlabs-puppetdb to use separate puppetserver certificate

node_fqdn.yaml

# Hiera config to change puppetserver certname
puppet::server_certname: puppetserver01
profile::puppetdb::server_certname: "%{alias('puppet::server_certname')}"
# Add real hostname to the certificate SAN list
puppet::dns_alt_names:
  - "%{facts.networking.fqdn}"
  # Add more names if needed
  

puppetdb.pp

# @summary Manage puppetdb
#
# @param server_certname
#   Puppetserver certname, set in Hiera
class profile::puppetdb (
  String[1] $server_certname,
) {
  $puppet_ssl_dir = '/etc/puppetlabs/puppet/ssl'
  $ssl_dir = '/etc/puppetlabs/puppetdb/ssl'

  class { 'puppetdb':
    ssl_set_cert_paths => true,
    ssl_ca_cert_path   => "${ssl_dir}/ca.pem",
    ssl_cert_path      => "${ssl_dir}/public.pem",
    ssl_key_path       => "${ssl_dir}/private.pem",
  }

  file {
    default:
      owner   => 'puppetdb',
      group   => 'puppetdb',
      notify  => Service['puppetdb'],
      require => Package['openvoxdb'],
      ;
    $ssl_dir:
      ensure => 'directory',
      mode   => '0750',
      ;
    "${ssl_dir}/public.pem":
      ensure => 'file',
      source => "${puppet_ssl_dir}/certs/${server_certname}.pem",
      ;
    "${ssl_dir}/private.pem":
      ensure => 'file',
      source => "${puppet_ssl_dir}/private_keys/${server_certname}.pem",
      mode   => '0640',
      ;
    "${ssl_dir}/ca.pem":
      ensure => 'file',
      source => "${puppet_ssl_dir}/certs/ca.pem",
      ;
  }
}