You can scan Puppet server to see whether naive signing is enabled by using this tool.
Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files.
This script makes use of the Puppet HTTP API interface to sign the request.
This script has been Tested on versions 3.8.5, 4.10.
You should be able to set up a secure autosigning system as long as you can provide reasonable end-to-end security for secret data on your nodes.
For more, see the Reference section.