I’m setting up a new Icinga2 cluster ( 2 masters + 4 Satellites ) using CSR Auto signing. While running the node setup wizard on the Satellites, I used secondary master in addition to the primary master. Is it a good practice to have secondary handle the certificate signing? Do the masters suppose to store the satellite certs files in their /var/lib/icinga2/certs directory or the certs resides on the satellite only ?
Only the primary master should have the CA key pair & private TicketSalt and as such, the authority to sign certificate requests
Signed node certificates are stored by each instance, including their private key. None of these is exposed to any other instance/node. On connect, the TLS handshake takes care of checking the presented certificates and ensure that they trust each other.