New signed Certs

Hello. I already have a working icinga2 environment but we need to generate new signed certs for all of our client nodes. I’m aware of how to do this (icinga2 pki save-cert command) but i was wondering if there are any additional steps? Do i just get the signed certs from the master and restart the icinga2 service on the clients or would i need to run node setup or node wizard again? I appreciate any help you can provide on this subject.


if you have created a new Icinga 2 certificate authority (CA) you need to copy the ca certificate as well. If the hostnames are exactly the same this should be everything.

To make it a bit easier you could use the On-Demand CSR signing mechanism.

Best regards

Thank you for your reply. The icinga version we are currently using is older so I’m not able to use the ca list command. I was thinking that I will make an ansible playbook and i would run icinga2 pki new cert and also icinga2 pki sign-csr on the master node and then I could transfer over the files to the correct location. Do you think my idea is feasible?

Hi, with ansible a lot is possible even this.
You probably need to get a little creative with it tough and delegate some tasks to the master / satellite.

You could look into auto renewing aswell. Every time icinga reloads a config it will then check / renew this for you.

Thanks for your reply. Yes i think i will use local_action to make sure the cert creation and cert signing commands will run on the master. The version of icinga we use is a little older so I’m not sure if we can use the auto renew feature.