diff --git a/howto/tls.md b/howto/tls.md
index 8f008a8c71c22c1c302e674677d4c69619772853..745aa7edf175d3db76d41b804b962a42e6f972b8 100644
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -459,10 +459,28 @@ systems and see if we can reduce the number of CAs.
 
 ## Alternatives considered
 
-The `auto-ca` machinery could be replaced by Puppet code. We could
-also leverage the ACME protocol designed by letsencrypt to run our own
-CA instead of just OpenSSL, although that might be overkill. In
-general it might be preferable to reuse an existing solution than
+The `auto-ca` machinery could be replaced by Puppet code. Here are
+modules that might be relevant:
+
+ - [mmack/cfssl](https://forge.puppet.com/modules/mmack/cfssl/): interfaces [Cloudflare's cfssl](https://github.com/cloudflare/cfssl) "PKI/TLS swiss
+   army knife"
+
+ - [rehan/easyrsa](https://forge.puppet.com/modules/rehan/easyrsa): wrapper around [easy-rsa](https://github.com/OpenVPN/easy-rsa), itself a wrapper
+   around OpenSSL, not well documented
+
+ - [Aethylred/keymaster](https://forge.puppet.com/modules/Aethylred/keymaster/readme): handle X509 CAs, but also SSH host keys,
+   which might be in conflict with our existing code
+
+ - [puppet/openssl](https://forge.puppet.com/modules/puppet/openssl): a bit bare-bones, no revocation support
+
+Trocla also has support for [x509 certs](https://github.com/duritong/trocla#x509) although it assumes there
+is already a CA present, and it [does not support EC keys](https://github.com/duritong/trocla/issues/82).
+
+We could also leverage the ACME protocol designed by Let's Encrypt to
+run our own CA instead of just OpenSSL, although that might be
+overkill.
+
+In general, it would be preferable to reuse an existing solution than
 maintain our own software in Make.
 
 ### Other Certificate Authorities