This page was last updated in 2015 and may be outdated. Please update it if you can.
WMF has found occasionally the need to host it's own internal CA for some purposes. That is what WMF CA is. There are 2 WMF CAs at this point:
This has finally been completely phased out and any rerefences to it are historical. Any certificates by it have been reissued by the the second one and it has been removed from the puppet repo and any keystores. It should no longer be possible to use it, issue/revoke certs etc.
This is the current WMF CA. It is set to expire in 2017 as you can tell by the name. Should we still need it by then we should very easily issue a new one and reissue the certificates.
puppet private repo holds all the information you might need to manipulate the wmf_ca_2014_2017. There is a README there that should cover the basics.
If you want to re-issue a cert, don't forget to revoke the old one first or you will get a:
failed to update database TXT_DB error number 2