Both ends, quick n dirty

certprep.sh

#!/bin/bash
sudo puppet cert generate $SERIAL
declare -xr DS_REPOSITORY_PATH=/foo
declare -xr SSLDIR=/private/etc/puppet/ssl/
mkdir /$DS_REPOSITORY_PATH/PuppetCerts/$SERIAL
mv $SSLDIR/ca/signed/$SERIAL.pem /$DS_REPOSITORY_PATH/PuppetCerts/$SERIAL/cert-$SERIAL.pem
mv $SSLDIR/private_keys/$SERIAL.pem /$DS_REPOSITORY_PATH/PuppetCerts/$SERIAL/priv-key-$SERIAL.pem
mv $SSLDIR/public_keys/$SERIAL.pem /$DS_REPOSITORY_PATH/PuppetCerts/$SERIAL/pub-key-$SERIAL.pem

ds_seed_certs.sh

#!/bin/sh

# testing target volume, my boot drive
DS_LAST_RESTORED_VOLUME="/Volumes/Mac95GB"

declare -x TARGETED_INTERNAL_DRIVE="$DS_LAST_RESTORED_VOLUME"
declare -x PUPPET_CLIENT_CERTS_DIR="$DS_REPOSITORY_PATH/PuppetCerts"

cp "$PUPPET_CLIENT_CERTS_DIR"/$DS_SERIAL_NUMBER/cert-$DS_SERIAL_NUMBER.pem "$TARGETED_INTERNAL_DRIVE"/var/lib/ssl/certs/$DS_SERIAL_NUMBER.pem "
echo "$PUPPET_CLIENT_CERTS_DIR"/priv-key-"$DS_SERIAL_NUMBER".pem "$TARGETED_INTERNAL_DRIVE"/var/lib/ssl/private_keys/$DS_SERIAL_NUMBER.pem
echo "$PUPPET_CLIENT_CERTS_DIR"/pub-key-"$DS_SERIAL_NUMBER".pem "$TARGETED_INTERNAL_DRIVE"/var/lib/ssl/public_keys/$DS_SERIAL_NUMBER.pem
# chown -R root:wheel /var/lib/ssl

while getopts "v" opt; do
	case "$opt" in
		v) DS_LAST_RESTORED_VOLUME="$OPTARG";;
	esac
done

exit 0

This would work as long as you're running puppet cert generate on the Puppet master and that $SERIAL were also being set as the certname for the agent.