diff --git a/etc/lab-host.toml.example b/etc/lab-host.toml.example
index 9c13a2d..dacc490 100644
--- a/etc/lab-host.toml.example
+++ b/etc/lab-host.toml.example
@@ -17,10 +17,12 @@ qcow_image = "/var/lib/cis490/vm/images/metasploitable2.qcow2"
 [receiver]
 # The receiver lives behind Caddy on the WG-side collector host. The
 # hostname must resolve over WG (collector.wg in the canonical
-# spectral lab). The wg-pki CA must be on every lab-host so the
-# Caddy-issued internal cert validates.
+# spectral lab). ca_bundle pins the Caddy root CA (bundled in the
+# repo) so the shipper can verify the server's TLS cert. The wg-pki
+# client CA (wg-ca.pem from the bootstrap tarball) is the RECEIVER's
+# trust anchor for our client cert — we don't configure it here.
 url = "https://collector.wg"
-ca_bundle = "/etc/cis490/certs/wg-ca.pem"
+ca_bundle = "/opt/cis490/etc/caddy-root.crt"
 
 # mTLS: leaf cert + private key issued by wg-pki for THIS host_id.
 # Comment these out to fall back to bearer-token auth during early