Very soon we’ll release Icinga version 2.8 which brings the CA-Proxy to life. With this blogpost I want to show you how to use this feature and why it’s great.
How does the CA-Proxy work?
Let’s say our setup consists of a master, a satellite and multiple clients. Typically you would have to generate a setup ticket on the master for every client you want to set up and have them connect directly to the master.
Thanks to the CA-Proxy, a client doesn’t need to send the certificate signing request directly to the master. It’s now possible to send the request to a satellite, which then sends it to the master. This means that clients no longer need to have a direct connection to the master.
Version 2.8 also allows sending certificate signing requests without a setup ticket. If that’s the case, the request can later be responded to via a CLI command.
By combining both features you can use the node wizard without specifying neither specifying a master nor a ticket.

Client Setup
The first thing you need to do is to run the node wizard on the client. Like mentioned before, the ticket option can be skipped here:

root@icinga-agent-1:~# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!
We will guide you through all required configuration details.
Please specify if this is a satellite/client setup ('n' installs a master setup) [Y/n]: y
Starting the Client/Satellite setup routine...
Please specify the common name (CN) [icinga-agent-1]: [ENTER]
Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
Master/Satellite Common Name (CN from your master/satellite node): icinga-satellite-1
Do you want to establish a connection to the parent node from this node? [Y/n]: y
Please specify the master/satellite connection information:
Master/Satellite endpoint host (IP address or FQDN):
Master/Satellite endpoint port [5665]: [ENTER]
Add more master/satellite endpoints? [y/N]: n
Parent certificate information:
Subject: CN = icinga-satellite-1
 Issuer: CN = icinga-satellite-1
 Valid From: Nov 8 11:37:56 2017 GMT
 Valid Until: Nov 4 11:37:56 2032 GMT
 Fingerprint: BA 1F 61 BE 26 8E CB 4E 8B 4D 20 3F 10 5B D5 0C C4 BF 91 00
Is this information correct? [y/N]: y
Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn 'icinga-agent-1'): [ENTER]
No ticket was specified. Please approve the certificate signing request manually
on the master (see 'icinga2 ca list' and 'icinga2 ca sign --help' for details).
Please specify the API bind host/port (optional):
Bind Host []: [ENTER]
Bind Port []: [ENTER]
Accept config from parent node? [y/N]: y
Accept commands from parent node? [y/N]: y
Reconfiguring Icinga...
Now restart your Icinga 2 daemon to finish the installation!
root@icinga-agent-1:~# systemctl restart icinga2

Then we can list all requests with “icinga2 ca list”:

root@icinga-master-1:~# icinga2 ca list
Fingerprint        | Timestamp                | Signed | Subject
92a2e5bbb9b374f... | Nov  8 11:43:06 2017 GMT |        | CN = icinga-agent-1

And sign them via “icinga2 ca sign <fingerprint>”:

root@icinga-master-1:~# icinga2 ca sign 92a2e5bbb9b374f...
information/cli: Signed certificate for 'CN = icinga-agent-1'.

After a few minutes all certificates should be signed and synced all the way down to the clients. Neither the master nor the clients have to be restarted.