diff --git a/deployment/check/common/targetNode.nix b/deployment/check/common/targetNode.nix
index b42c5e21..16eacb94 100644
--- a/deployment/check/common/targetNode.nix
+++ b/deployment/check/common/targetNode.nix
@@ -50,13 +50,16 @@ in
       };
 
       security.pki.certificateFiles = [
+        ## NOTE: This certificate is the one used by the Pebble HTTPS server.
+        ## This is NOT the root CA of the Pebble server. We do add it here so
+        ## that Pebble clients can talk to its API, but this will not allow
+        ## those machines to verify generated certificates.
         testCerts.ca.cert
       ];
 
       ## FIXME: it is a bit sad that all this logistics is necessary. look into
       ## better DNS stuff
       networking.extraHosts = "${config.acmeNodeIP} acme.test";
-
     })
   ];
 }