Is it possible that satellite server issue certificates for clients?

This forum was archived to /woltlab and is now in read-only mode.
  • Hi,


    because of security requirements it is not possible that client contact master server for issuing of certificate. I know that this can be done manually on master, and then copy cert/keys to the clients but this is tedious task. So it came up to my mind to copy CA cert and key to the satellite server (from master /var/lib/icinga2/ca) and check will this work. Since i don't have test environment to check will this work, does anyone knows can this make some issues?


    My idea is if CA cert and key can't make any issues on satellite server, then client could contact satellite server to get the signed certificate.

  • I would suggest to wait with this for the next Icinga 2 release.


    They talked about having the satellites as proxies for this.

    Linux is dead, long live Linux


    Remember to NEVER EVER use git repositories in a productive environment if you CAN NOT control them

  • That, or the manual CA key pair copy to the satellite, making it a signing instance. Consider this being a workaround, as it exposes your private CA key to a different instance not necessarily trusted.


    I'd recommend to wait for 2.8 which targets OSMC.