here is a blogpost about the ca-proxy:
here are the docs:
here is one thread about it:
In summary:
A ) you send the cert request to the satellite with the correct ticket and your certificate gets autosigned
OR
B) You send the cert request to the satellite without any ticket and your masternode should have the request, and you can sign it there
icinga2 ca list
And if I remember correctly you have to have the api feature enabled on the satellite and listen on 0.0.0.0 or your device ip