Utilizing an alternate CA (Like Microsoft Certificate Services) with Puppet

view story

http://serverfault.com – I'm investigating whether I can somehow make the puppet ecosystem utilize our existing Microsoft Enterprise CA rather than being its own CA. Since puppet touts that all of the system is "standard SSL", my guess is that it is completely possible to do this without much changing of puppet, HOWEVER it's likely a huge manual headache unless puppet is edited to make the proper calls to the enterprise CA. Has anyone tried this before? Is it a "here be dragons, turn away!" situation? (HowTos)