Simply put, that is what we recommend to include in your backups. Copying the
.../ca path is enough, but only do that for migration purposes. If that’s exposed anywhere else, bad people can sign certificates and hijack your monitoring. Keep the CA safe and secure, that’s merely the point with not documenting this in deep for migrations.
When using the term
salt, does that mean SaltStack?
Agreed, there could be more instructions on test stages and moving to production. Still, there’s two arguments - each system should be isolated on its own. Meaning to say, you have two Icinga CAs, and those systems cannot interfere with each other. Migration requires additional steps then. For easiness, sharing the same CA may work as well, but it may also open the doors for left-over endpoints, and wrong configurations between stage and prod.
That being said, I’d opt for creating a new CA and migrating existing satellites and CA with a gentle re-installation.