Hello again,
I am trying to do a simple curl using the client’s certificate as authentication but it fails.
I am following the documented method.
curl --cacert /var/lib/icinga2/certs/ca.crt --cert <path to client crt> --key <path to client key> 'https://winmonit-dev3:5665/v1'
Using the basic authentication(username and pass) it works as expected
but with the certificates I get a 401 Unauthorized message.
I would appreciate any help on this! 
I would look into the ApiUser and if the attribute client_cn really matches the cn in the subject of the certificate shown with openssl x509 -noout -text -in CERT.
Thanks Dirk,
That was the problem indeed, but if I want to authenticate for every client using the certificates should
I have a new ApiUser for each one of them?
If you want to reuse the agent’s certificate, an ApiUser for each System would be needed.
But I would recommend one ApiUser for one functionality and then distributing the certificate, for example in one environment we have a downtime user with permissions restricted just for this use case. While Icinga 2 has no revocation list and so you can not revoke the certificate, by removing or changing the ApiUser you can remove the permissions quite easily.
I need the api user for downtimes so that was a perfect example,
Thanks again for the tips!