Skip to content

Commit

Permalink
Doc: Distributed Monitoring: add section "External CA/PKI"
Browse files Browse the repository at this point in the history
The following already works:

* Custom key sizes, e.g. 2048 bits
* Custom key types, e.g. ECC
* Multiple trusted root CAs in `/var/lib/icinga2/certs/ca.crt`
* Different root CAs per cluster subtree, as long as each node trusts the
  issuers of the certificates of all nodes it's directly connected to
* Any number of intermediate CAs
  • Loading branch information
Al2Klimov authored Jul 6, 2023
1 parent 26a75f8 commit ba89e5a
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions doc/06-distributed-monitoring.md
Original file line number Diff line number Diff line change
Expand Up @@ -3230,6 +3230,31 @@ information/pki: Writing certificate to file 'icinga2-satellite1.localdomain.crt

Copy and move these certificates to the respective instances e.g. with SSH/SCP.

#### External CA/PKI

Neither the above commands, nor their automatic counterparts in the Icinga
cluster do anything special during certificate issuance. I.e. Icinga
isn't the only possible source of the certificates it uses. E.g.
`openssl req/x509 ...` may be used as well as long as the leaf certificates' CN
and SAN match the endpoint names. Pretty much everything else is limited only by
your imagination and the oldest OpenSSL version of two Icinga nodes connected to
each other. E.g. the following works:

* Custom key sizes, e.g. 2048 bits
* Custom key types, e.g. ECC
* Multiple trusted root CAs in `/var/lib/icinga2/certs/ca.crt`
* Different root CAs per cluster subtree, as long as each node trusts the
issuers of the certificates of all nodes it's directly connected to
* Any number of intermediate CAs (but see below)

Intermediate CA restrictions:

* Intermediate CAs may not be directly used as root CAs. To trust only specific
intermediate CAs, cross-sign them with themselves, so that you get equal
certificates except they're self-signed. Use them as root CAs in Icinga.
* Each side has to provide its intermediate CAs along with the leaf certificate,
in `/var/lib/icinga2/certs/NODENAME.crt` starting with the leaf.

## Automation <a id="distributed-monitoring-automation"></a>

These hints should get you started with your own automation tools (Puppet, Ansible, Chef, Salt, etc.)
Expand Down

0 comments on commit ba89e5a

Please sign in to comment.