SERVER-119, some work was done to ensure that the values for custom certificate extensions were represented as UTF8Strings within the payload of an OctetString rather than just being a raw value inside of an OctetString. This work was done to ensure that custom certificate extensions follow the format specified in RFC 5280.
As this is technically a breaking change in the content produced for new certificates, this work was intended to go into Puppet Server 2.X and Puppet 4.x only. However, by bumping Puppet Server 1.0.8's dependency on puppetabs/ssl-utils to version 0.8.0, this change ended up going into Puppet Server 1.0.8 as well.
For backward compatibility, the ssl-utils 0.8.0 implementation will handle properly decoding a certificate that has extensions with raw values inside of an OctetString. Beyond just the change in content generated, the only problem this issue should pose is that a certificate generated for Puppet Server 1.0.8 that has custom extensions would not be properly decodable, e.g., trusted facts would not be retrievable when referenced by manifests, if used in a prior Puppet Server 1.0.x release. If a certificate had been generated for Puppet Server 1.0.8, then, the use of it could cause problems on a downgrade to Puppet Server 1.0.2 or earlier.