Many Puppet-based workflows are centered around the master, which is a central source of configuration data and authority. The master hands instructions to all computer systems in the infrastructure (where agents are installed). It serves multiple purposes in the distributed system of Puppet components.
The master will perform the following tasks:
As such, the security of your master machine is paramount, which is not unlike a Kerberos Key Distribution Center.
During its first initialization, the Puppet master generates the CA certificate. This self-signed certificate will be distributed among and trusted by all pieces of your infrastructure. This is why its private key must be protected very carefully. New agent machines request individual certificates, which are signed with the CA certificate.