Hello,
Can anybody provide a tipp to me which certificate must be imported after installing the X509 Module? Is it the Domain Certificate from our Windows Domain Controller? I found no Infos about it in the Internet.
I appreciate any hints…
Thanks in advance,
Marco
Hi,
this is covered in the documentation. If you have your own CA you’ll need to also import this into the module’s trust store.
In the Documentation:
The certificate chain file that is specified with the --file option should contain a PEM-encoded list of X.509 certificates which should be added to the trust store.
Does it mean I need to Import ALL Certificates in Icinga? I thought it will be done by the Scan? Unfortunately there are no more details I can find about it.
You know what a CA (Certificate Authority) is? Any CA has its own certificate, by which other certificates are certified in order for them to be trustable.
The documentation suggests to import the global CA certificates known to the current system. This will import certificates of services such as Comodo or Letsencrypt. If you have your own CA (such as a Windows Domain Controller) you’ll need to additionally import its certificate.
Without these, the scan will surely find client certificates in your environment, but the module can’t validate them without any CA certificates imported into the trust store.
OK, now I understand.
Thanks a lot for clarifying this.