diff --git a/README.md b/README.md
index 4e02df5c..3ef6a211 100644
--- a/README.md
+++ b/README.md
@@ -72,6 +72,8 @@ And depends on:
 
 ### Limitations
 
+The use of Icinga's own CA is recommended. If you still want to use the Puppet certificates, please note that Puppet 7 uses an intermediate CA by default and Icinga cannot handle its CA certificate, see [Icinga Issue](https://github.com/Icinga/icinga2/pull/8859).
+
 This module has been tested on:
 
 * Ruby >= 1.9
diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
index f225c227..cf16adfb 100644
--- a/manifests/feature/api.pp
+++ b/manifests/feature/api.pp
@@ -55,6 +55,8 @@
 #   Provides multiple sources for the certificate, key and ca.
 #   - puppet: Copies the key, cert and CAcert from the Puppet ssl directory to the cert directory
 #             /var/lib/icinga2/certs on Linux and C:/ProgramData/icinga2/var/lib/icinga2/certs on Windows.
+#             Please note that Puppet 7 uses an intermediate CA by default and Icinga cannot handle
+#             its CA certificate, see [Icinga Issue](https://github.com/Icinga/icinga2/pull/8859).
 #   - icinga2: Uses the icinga2 CLI to generate a Certificate Request and Key to obtain a signed
 #              Certificate from 'ca_host' using the icinga2 ticket mechanism.
 #              In case the 'ticket_salt' has been configured the ticket_id will be generated