Ca sign on secondary master


We install and configure icinga2 agent without actually generating a ticket number. We later run icinga2 ca sign _______ to sign the certificates

I am seeing sometimes after an agent is installed on an agent node the secondary master gets the ca certificate for signing while the same is not available in the icinga2 ca list on the primary.

Q: Can we sign the ca in secondary master using #icinga2 ca sign ____ or do we reconfigure the agent and see if the primary master (config master) gets it and sign it only in Primary Master

But primary master do not show up the same in $icinga2 ca list


So if icinga2 ca list stays for 5 days and we want to sign it post 5th day. What is it we do to get the entry back on the icinga2 ca list?