Puppet uses openssl certificates to securize the communication between the master and the agents. Docker also uses the same technology in the communication between the engine and the client. So, it could be a good idea to reuse the certificates that Puppet generates when it setup an agent in the Docker TLS communication.
The Puppet master has it own CA authority. It also has a certificate (which contains the RSA public key) and a private key.
When a new agent tries to connect with the master, the master signs agent's certificate (here we can follow different policies: manual sign, autosign.conf, etc).