Not able to sign ticket in ca list

Hello everybody

Im currently struggeling with adding another host to my master that is located in a DMZ.

The problem:
When ever i create a ticket with "icinga2 pki ticket --cn ‘hostname’ " i get a ticket like “81944461c03731c633f4f94df9882ec90e1095e9” but when i try to sign it doesn#t show up in “icinga2 ca list”.

Can anyone help me?

As addition i have already sign tickets in the past.

Hi @ExeLeNtCrypt,

If you are generating a CSR signing ticket, and specify it during the installation, you do not need to sign the ticket manually, as it is signed automatically when submitted to the Icinga CA node.

Certificate requests will only appear in icinga2 ca list if they are outstanding/unsigned.

1 Like

so i don´t understand it right maybe you can tell me what im doing wrong.
What I did:

  1. $ icinga2 pki ticket --cn ‘‘ 26ebf4526cc2a56bf66db125a36faabaca25379b

  2. PS C:\Program Files\ICINGA2\sbin> .\icinga2.exe node wizard
    Welcome to the Icinga2 Setup Wizard!
    We will guide you through all required configuration details.

    Please specify if this is a satellite/
    client setup (‘n’ installs a master setup) [Y/n]: y

    Starting the Client/Satellite setup routine…

    Please specify the common name (CN) [HOSTNAME.fq.dn]: hostname.fq.dn

    Please specify the parent endpoint(s) (master or satellite) where this node should connect to:

    Master/Satellite Common Name (CN from your master/satellite node): master.fq.dn

    Do you want to establish a connection to the parent node from this node? [Y/n]: n

    Connection setup skipped. Please configure your parent node to

    connect to this node by setting the ‘host’ attribute for the node Endpoint object.

    Add more master/satellite endpoints? [y/N]: n

    No connection to the parent node was specified.

    Please copy the public CA certificate from your master/satellite

    into ‘C:\ProgramData\icinga2\var/lib/icinga2/certs//ca.crt’ before starting Icinga 2.

    Found public CA certificate in ‘C:\ProgramData\icinga2\var/lib/icinga2/certs//ca.crt’.

    Please verify that it is the same as on your master/satellite.

    Please specify the API bind host/port (optional):

    Bind Host []:

    Bind Port []:

    Accept config from parent node? [y/N]: y

    Accept commands from parent node? [y/N]: y

    Reconfiguring Icinga…

    Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.

    Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.


    Now restart your Icinga 2 daemon to finish the installation!

  3. Afterwards i put the ca.crt on the client in /certificat-requests

  4. Then I restarted both

Since you didn’t tell the wizard to connect to the parent node, the ticket you generated isn’t actually used for anything. You want the ca in /certs instead of requests. If it can get that far, then you should see an option to sign it on the master.

If you specify to connect to the parent node, it’ll ask you to put that ticket in. Otherwise, it uses the ca.crt you copy over to identify the master and sends a certificate signing request to it when they initially connect.


Hi !

Blake is totally right.

You might try to set the following to from

Do you want to establish a connection to the parent node from this node? [Y/n]: n


Do you want to establish a connection to the parent node from this node? [Y/n]: Y

Which is not coincidentally set by default to [Y].



1 Like

Hi Blake,

i am also facing similar issue. i did the icinga2 node wizard command on the client and gave the fingerprint from master/satellites with respect to the client when prompted. But still if i give icinga2 ca list, it list the corresponding client. Can you advise what is causing this? the monitoring checks are showing as pending

what does the ca list show ?

if the command “icinga2 ca list” still lists the client , you need to sign it with “icinga2 ca sign …”

Fingerprint Timestamp Signed Subject
06e15d0afe12bea69a073d9cFc735b896e6dee6eaFFFFFa3fb650 Nov 5 12:54:56 2020 GMT * CN = *******
679d615046dc20df1addc634bderfa85941754812917d7fac018f63a60caf01fe Nov 5 10:46:20 2020 GMT * CN = ********
fab3cec981ff591d4a0c75896f0ea8e28fe4226dfa70855cf94fdf0c78dca1dc Nov 3 10:03:32 2020 GMT * CN = *******

3 fingerprints for same CN

i signed the client, but still its shows in satellite when i lists

There should be 3 diffrent Hostnames for the same server ? otherwise there would not be 3 Fingerprints