because of security requirements it is not possible that client contact master server for issuing of certificate. I know that this can be done manually on master, and then copy cert/keys to the clients but this is tedious task. So it came up to my mind to copy CA cert and key to the satellite server (from master /var/lib/icinga2/ca) and check will this work. Since i don't have test environment to check will this work, does anyone knows can this make some issues?
My idea is if CA cert and key can't make any issues on satellite server, then client could contact satellite server to get the signed certificate.