Ca.key lost. Most efficient approach to create certs and sign them

The icinga we are running for now is 2.6. Our ca.key has been lost. So i have to recreate the CA and the ca.key on the master. Because of this i will have recreate certs for each of my nodes and sign them on the master. My question is after i recreate the certs on the master and transfer them over to my nodes what next steps will i have to take? Is it simply restarting the icinga service or do i have to rerun node wizard? Also what would be your recommendation to automate this process? I’m assuming an ansible playbook might be useful for this purpose?

You could create a playbook to run icinga2 save-cert on your satellites to fetch the master trusted cert, then run the same play on your nodes to save the key and cert from your satellites. After each step, loop through the entries listed when you run ‘icinga2 ca list’ and sign the entries.

1 Like

Yes i think I’ll try out your suggestion. Would i run icinga2 pki request or save-cert like you said to get certs for my nodes. Thanks for you response

Hey, I didn’t see your question,

You’d run

icinga2 pki save-cert --key /var/lib/icinga2/certs/{{ inventory_hostname }}.key --cert /var/lib/icinga2/certs/{{ inventory_hostname}}.crt --trustedcert /var/lib/icinga2/certs/trusted-master.crt --host $satellite_fqdn

Ok gotcha thanks for your response. Is the trusted master.crt the same thing as the ca.crt? Also realized that ca list isn’t available on version 2.6. So there is no need to rerun nodesetup or node wizard on the client machines? We just get the new certs from the master and restart the icinga service on the clients ?