(PUP-10639) Print digest of the new CA/CRL

If we download a new bundle, then log an info message with the digest. By
default, this is SHA256, unless an alternative algorithm is specified in
`:digest_algorithm`.

Author: joshcooper

lib/puppet/ssl/state_machine.rb

@@ -139,6 +139,9 @@ def download_ca(ssl_ctx, last_update)
       next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
       @cert_provider.save_cacerts(cacerts)
 
+      digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
+      Puppet.info("Refreshed CA certificate: #{digest}")
+
       next_ctx
     end
   end
@@ -232,6 +235,9 @@ def download_crl(ssl_ctx, last_update)
       next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
       @cert_provider.save_crls(crls)
 
+      digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
+      Puppet.info("Refreshed CRL: #{digest}")
+
       next_ctx
     end
   end