docs: slide 33 — add speaker notes on Puppet's CA/certificate auth model

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

index.html

@@ -1229,6 +1229,11 @@ $ ansible-galaxy install <namespace>.<role>
         <li>Opposite model to Ansible: pull, not push — agents reach out to the server.</li>
         <li>Every ~30 min the agent fetches a catalog and converges the node — point at the diagram.</li>
         <li>This is the key idea: enforcement runs on a loop, not just at deploy.</li>
+        <li><strong>Authentication: mutual TLS, not SSH keys or passwords.</strong> The Puppet Server runs its own built-in Certificate Authority (CA). Every agent and the server are identified by an X.509 certificate the CA signs.</li>
+        <li>First contact: a new agent generates a keypair and sends a Certificate Signing Request (CSR) to the CA, keyed on its <code>certname</code> (usually the FQDN). The cert is <em>pending</em> until signed.</li>
+        <li>Signing gate: an admin runs <code>puppetserver ca sign --certname &lt;node&gt;</code> (or autosign for trusted ranges/policies). Until signed, the agent gets no catalog — so signing is the enrollment/trust decision.</li>
+        <li>Steady state: every run is mutual TLS — the agent verifies the server's cert, the server verifies the agent's. Same CA signs both sides, so identity is cryptographic, not network-trust.</li>
+        <li>Lifecycle: revoke a decommissioned node with <code>puppetserver ca revoke</code> (lands in the CRL); <code>ca clean</code> removes the cert so a rebuilt host can re-enroll. Watch for clock skew and cert expiry — classic agent-checkin failures.</li>
       </ul>
     </aside>
     <svg width="750" height="250" viewBox="0 0 750 250" xmlns="http://www.w3.org/2000/svg" style="margin-top:0.5em;">