- move puppetca from vm to lxd - remove old ca host hieradata - ensure this new ca (and all new ca's) can revoke certificates
