Puppet master easy migration - from http://stuckinadoloop.wordpress.com/2012/02/16/automated-migration-of-systems-to-a-new-puppet-master-server/

migrate.pp

#
# Perform the Puppet master migration by changing the server value in
# puppet.conf
# and reset nodes certificates
#
class puppet::migrate ( $puppetmaster ) {

  if $puppetmaster == undef {
    fail('You must define the targeted Puppet master to perform the migration')
  }

  augeas { 'puppet.conf.migrate':
    context => '/files/etc/puppet/puppet.conf/main',
    changes => [
      "set server ${puppet::migrate::puppetmaster}",
    ]
  }

  # These next two objects handle migration to a new puppet master
  # server - if the value of $puppetmaster is updated, the
  # puppet-clear-certs.sh script is executed.
  file { 'puppet-clear-certs.sh':
    source => 'puppet:///modules/puppet/puppet-clear-certs.sh',
    path   => '/var/lib/puppet/lib/puppet-clear-certs.sh',
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
  }

  exec {'/var/lib/puppet/lib/puppet-clear-certs.sh':
    path    => ['/usr/bin', '/bin', '/usr/sbin', '/sbin'],
    require => [
      File ['puppet-clear-certs.sh'],
      Augeas ['puppet.conf.migrate'],
    ],
    unless  => [
      "openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem | grep ${puppet::migrate::puppetmaster} >/dev/null 2>&1",
      "openssl x509 -text -in /var/lib/puppet/ssl/certs/${::fqdn}.pem | grep ${puppet::migrate::puppetmaster} >/dev/null 2>&1",
    ]
  }
}

migration.pp

# Usage
node node-tomigrate.domain.com {
  class {'puppet::migrate':
    puppetmaster => 'new-puppet-master.domain.com',
  }
}

puppet-clear-certs.sh

#!/bin/bash
 
# This script is a hack to remove SSL certificates from a puppet
# client to prepare it for migration to a new puppet master server
# after puppet has altered the puppet.conf file to point to the new
# puppet master server.
#
# Normally, if you subscribe the puppet service to the puppet.conf
# file, the puppet service will be restarted too soon, interrupting
# the current puppet run. Various attempts at using
# configure_delayed_restart among other things have not proven to be
# 100% effective.  This script will watch the puppetdlock file, which
# can determine whether or not there is a run in progress. If there is
# a run in progress, we sleep for a second and then test again until
# the process is unlocked. Once unlocked, we can safely delete
# certificates and call a puppet restart. The checker process itself
# gets forked into the background. If it were not forked into the
# background, the puppet run would sit and wait for the process to
# return, or for the exec timeout, whichever came first. This would
# cause serious trouble if timeouts were disabled or very long periods
# of time.
#
# This script was inspired by this blog post by Ryan Uber:
# http://www.ryanuber.com/puppet-self-management.html
#
 
 
# Begin waiting for the current puppet run to finish, then restart.
/bin/sh -c "
    until [ ! -f /var/lib/puppet/state/puppetdlock ]
    do
        sleep 1
    done
    /sbin/service puppet stop
    rm -f /var/lib/puppet/ssl/certs/*
    rm -f /var/lib/puppet/ssl/certificate_requests/*
    rm -r /var/lib/puppet/ssl/crl.pem
    /sbin/service puppet start
" &
  
# Always return true, since this script just forks another process.
exit 0
  
# EOF

Suggestion: Just in case the certs are stored in some exotic directory, you could say ssldir=$(puppet config print ssldir) before stopping the puppet service (puppet resource service puppet ensure=stopped :), then rm -f ${ssldir}/certs/*, rm -f ${ssldir}/certificate_requests/* and rm -f ${ssldir}/crl.pem.