I mean that autosign entry will be removed from the autosign list when the autosign-action on certificate has happened.
Example: I add hostname to autosign list, I install puppet, puppet talks to server, server see the autosign on hostname and signs host certificate, autosign entry is removed.

I could ofcourse do this in deploy-scripts etc but I think it should be part of foreman/api.

I think this already happens when you provision a host from Foreman. I'm not sure how we'd hook into puppet ca code so we could contact Foreman to remove the autosign entry when puppet ca signs the request. If this is the flow, it is perhaps RFE for puppet ca itself?

I don't provision via Foreman but via other means.

So I wonder how Foreman is involved in the process if at all. The certificate request and signign process happens between puppet agent and puppet ca. There's no communication with Foreman at this point. Am I missing something?

That's why I filed this feature request. Currently if I add an autosign-entry it will stay there until removed. I can work around it but would prefer it to be done by Foreman. Feels a bit safer if it's removed after successful signing.

I don't see how Foreman would be notified from puppet ca that it's the time for deletion. I think this RFE should be opened at puppet issue tracker since Foreman is not involved in this process. We could add something that would periodically scan for signed certs and clean autosign entries, but it does not feel it belongs to our domain. Of course I could be wrong, so keeping this open for others to jump in.