Hello. I already have a working icinga2 environment but we need to generate new signed certs for all of our client nodes. I’m aware of how to do this (icinga2 pki save-cert command) but i was wondering if there are any additional steps? Do i just get the signed certs from the master and restart the icinga2 service on the clients or would i need to run node setup or node wizard again? I appreciate any help you can provide on this subject.
Hi,
if you have created a new Icinga 2 certificate authority (CA) you need to copy the ca certificate as well. If the hostnames are exactly the same this should be everything.
To make it a bit easier you could use the On-Demand CSR signing mechanism.
Best regards
Michael
Thank you for your reply. The icinga version we are currently using is older so I’m not able to use the ca list command. I was thinking that I will make an ansible playbook and i would run icinga2 pki new cert and also icinga2 pki sign-csr on the master node and then I could transfer over the files to the correct location. Do you think my idea is feasible?
Hi, with ansible a lot is possible even this.
You probably need to get a little creative with it tough and delegate some tasks to the master / satellite.
You could look into auto renewing aswell. Every time icinga reloads a config it will then check / renew this for you.
Thanks for your reply. Yes i think i will use local_action to make sure the cert creation and cert signing commands will run on the master. The version of icinga we use is a little older so I’m not sure if we can use the auto renew feature.