Puppet Community

`ca.pem` just has the CA chain. The PE services all use the Puppet agent certificate as their server certificate:

```puppet config print hostcert```

And PE services just present the leaf certificate during TLS handshakes, not the full chain. On the assumption that the client has a local copy of `ca.pem` to complete the chain for validation.

I was somehow under the impression that some PE services use a different CA but clearly I was mistaken

So yes, installing the CA (root and intermediate CA) solved my problem :ok_hand::skin-tone-2: 

Nope, same CA. And PE Services for the most part just share the certificate of the local Puppet Agent.