During the initial installation and configuration of Puppet Enterprise, there is a short window of time where the generated CA key is left world-readable. This is corrected later during the configuration/bootstrapping steps.
In Puppet Enterprise 3.8.3 and 2015.2.3, the CA key (and all other SSL private keys) are created with the correct permissions.
