I have a problem with certificate chains. The CA certificate is a 3-level intermediate certificate (Root -> RA -> Icinga-CA).
The clients and satellites do not pull the chain or exchange them for the root CA. Where can a certificate chain be stored for distribution?
best practise is to let icinga creates and use its own ca. You can use an external created (sub) ca is you exactly know what and how to do it. But it will not be supported by icinga and i guess you will not find much help.