puppetca module should not run puppet cert commands as root
Currently, the puppetca code is set up to run 'puppet cert' commands via sudo as root. This seems to me to be an unnecessary privilege escalation, it should run the command as the user running puppet. Normally this user is 'puppet', but that should be configurable I guess.
The problem with running as root is partly that since it is not absolutely necessary it shouldn't be done (by principal), and partly that users can have puppet certificates stored on a shared filesystem (for example NFS) where the root user on the puppet system have no access.