diff --git a/site/profiles/manifests/puppet/puppetca.pp b/site/profiles/manifests/puppet/puppetca.pp
index e94ecad..fae0a9e 100644
--- a/site/profiles/manifests/puppet/puppetca.pp
+++ b/site/profiles/manifests/puppet/puppetca.pp
@@ -21,16 +21,37 @@ class profiles::puppet::puppetca (
   # manage the crl file
   if $is_puppetca {
     # export the puppet crl.pem
-    @@file { '/etc/puppetlabs/puppet/ssl/crl.pem':
+    @@file { '/etc/puppetlabs/puppet/ssl/crl.pem.latest':
       ensure  => file,
       content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
       tag     => 'crl_pem_export',
     }
+    systemd::manage_dropin { 'copy_crl.conf':
+      ensure => absent,
+      unit   => 'puppetserver.service',
+    }
   }else{
     # import the puppet crl.pem
     File <<| tag == 'crl_pem_export' |>> {
       require => Service['puppetserver'],
     }
+    # copy latest to active location
+    file { '/etc/puppetlabs/puppet/ssl/crl.pem':
+      ensure  => file,
+      owner   => 'puppet',
+      group   => 'puppet',
+      source  => '/etc/puppetlabs/puppet/ssl/crl.pem.latest',
+      require => File['/etc/puppetlabs/puppet/ssl/crl.pem.latest'],
+    }
+    # add a execstartpost to the puppetserver.service
+    systemd::manage_dropin { 'copy_crl.conf':
+      ensure        => present,
+      unit          => 'puppetserver.service',
+      service_entry => {
+        'ExecStartPost' => '/usr/bin/sleep 2; /bin/cp /etc/puppetlabs/puppet/ssl/crl.pem.latest /etc/puppetlabs/puppet/ssl/crl.pem',
+      },
+      require       => File['/etc/puppetlabs/puppet/ssl/crl.pem'],
+    }
   }
 
   # register the PuppetCA service with consul