The easiest way to separate the CA dir from the SSL dir is to create the files in a different location (or migrate them), and then provide a symlink from the old location to the new location. This will prevent users from automatically deleting their CA files, as rm -rf will just unlink the symlink and not follow it to delete the files themselves.
When puppetserver starts, we should
- if the CA is not yet initialized, create it in the new location (/etc/puppetlabs/puppetserver/ca) and create a symlink from the configured location to the new one (see
SERVER-2895for similar change to the CLI setup command)