Hi
Is there an API call/endpoint which allows me to sign an CSR similar to the ‘icinga2 pki sign-csr’ on the command line? Just CSR in and certificate out.
I did not find any information about this so far.
there is no api endpoint but a icingaweb2 module for signing via gui:
A GUI does not really help when you want to automate.
OK, I finally got it scripted with the detour over the ticket feature:
# create key
echo "# icinga2 pki new-cert --cn '$FQDN' --key '$DIR/node.key' --cert '$DIR/node.crt'"
icinga2 pki new-cert --cn "$FQDN" --key "$DIR/node.key" --cert "$DIR/node.crt"
# get the certificate of the Icinga2 master as is not possible to make the check with a ca certificate...
echo "# icinga2 pki save-cert --host '$MASTER' --trustedcert '$DIR/master.crt'"
icinga2 pki save-cert --host "$MASTER" --trustedcert "$DIR/master.crt"
# ... so we do the CA check ourselves
echo "# openssl verify -CAfile /var/lib/icinga2/certs/ca.crt '$DIR/master.crt'"
openssl verify -CAfile /var/lib/icinga2/certs/ca.crt "$DIR/master.crt"
# tada - we finally get the certificate
echo "# icinga2 pki request --host '$MASTER' --key '$DIR/node.key' --cert '$DIR/node.crt' --ticket '$TICKET' --ca '$DIR/ca.crt' --trustedcert '$DIR/master.crt'"
icinga2 pki request --host "$MASTER" --key "$DIR/node.key" --cert "$DIR/node.crt" --ticket "$TICKET" --ca "$DIR/ca.crt" --trustedcert "$DIR/master.crt"
But it is not as straight forward as it could be as it does not cover the case where people are able to do CA certificate management beforehand…
Sorry for bumping this old thread, but it is almost the first hit when searching the web for this topic.
There is an older Icinga 2 issue for this feature, https://github.com/Icinga/icinga2/issues/6656.