PKI keys per service or per server?
Solution 1:
The more ciphertext that's available, the easier it is to crack. Having said that, all security is a trade off. You need to think what are you using the certificates for? Encryption? Authentication? What would happen if there was a compromise? How does that weigh against the administration benefit of having less certificates to keep track of. You're using puppet, so some of the administrative overhead is reduced.
We use a custom root certificate and a single wildcard keypair where possible on our internal systems. This is mostly just to stop casual sniffers gaining passwords. I'm sure that a determined hacker would find a way in. Having just had our certificate expire, we've set up puppet infrastructure to distribute the key and restart services. Next year we just need to check the new keys into subversion and puppet should do the rest.