Starting about 2-3 years ago, Icinga2 included a feature to auto-renew client certificates, which is good. But my servers that are older than that still have their original 15-year certificates on them, and I’d like to replace them with new ones that have the newer validity period. I tried using icinga2 pki request with a ticket number but it tells me that the current certificate is still valid and skips automated renewal.
What step(s)/command(s) should I be using to manually renew client certs?
That said, I at least partly agree with you, so the obvious follow up question is, how do I revoke a certificate/add it to the revocation list? Which is actually also relevant in general, since I periodically decommission systems as well and it would make sense to revoke those certs when the system gets decommissioned.
Thanks for that pointer, I’ll have to think about what makes the most sense. I might just want to regenerate my entire Icinga2 CA/PKI infrastructure so that I can have everything on shorter validity certs and then implement the CRL going forward. I know I saw instructions for that somewhere, hopefully it’s not too arduous.
