bodsch/create_certificate.sh

## create_certificate.sh
#!/bin/bash
DIR="/tmp/icinga-pki/xxxxxx"
SATELLITE="icinga2-satellite-2.matrix.lan"
SALT=$(echo ${s} | sha256sum | cut -f 1 -d ' ')

[ -d ${DIR} ] && rm -rf ${DIR}
[ -d ${DIR} ] || mkdir -vp ${DIR}
chown icinga: ${DIR}

icinga2 pki new-cert \
--cn ${SATELLITE} \
--key ${DIR}/${SATELLITE}.key \
--csr ${DIR}/${SATELLITE}.csr

icinga2 pki sign-csr \
--csr ${DIR}/${SATELLITE}.csr \
--cert ${DIR}/${SATELLITE}.crt

icinga2 pki save-cert \
--key ${DIR}/${SATELLITE}.key \
--cert ${DIR}/${SATELLITE}.crt \
--trustedcert ${DIR}/trusted-master.crt \
--host icinga2-master.matrix.lan

ticket=$(icinga2 pki ticket \
--cn icinga2-master.matrix.lan \
--salt ${SALT})

icinga2 pki request \
--host icinga2-master.matrix.lan \
--port 5665 \
--ticket ${ticket} \
--key ${DIR}/${SATELLITE}.key \
--cert ${DIR}/${SATELLITE}.crt \
--trustedcert ${DIR}/trusted-master.crt \
--ca /var/lib/icinga2/certs/ca.crt


## result
/etc/icinga2 # ./test.sh
created directory: '/tmp/icinga-pki/xxxxxx'
information/base: Writing private key to '/tmp/icinga-pki/xxxxxx/icinga2-satellite-2.matrix.lan.key'.
information/base: Writing certificate signing request to '/tmp/icinga-pki/xxxxxx/icinga2-satellite-2.matrix.lan.csr'.
information/pki: Writing certificate to file '/tmp/icinga-pki/xxxxxx/icinga2-satellite-2.matrix.lan.crt'.
information/cli: Retrieving X.509 certificate for 'icinga2-master.matrix.lan:5665'.

Subject:     CN = icinga2-master.matrix.lan
Issuer:      CN = Icinga CA
Valid From:  Nov 19 08:17:55 2017 GMT
Valid Until: Nov 15 08:17:55 2032 GMT
Fingerprint: 3B 60 03 E6 55 65 C5 08 29 FC D5 D0 39 63 31 EF D1 DE F4 B8
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file '/tmp/icinga-pki/xxxxxx/trusted-master.crt'.
critical/cli: !!! The certificate for CN 'icinga2-satellite-2.matrix.lan' cannot be renewed yet.
	#!/bin/bash
	DIR="/tmp/icinga-pki/xxxxxx"
	SATELLITE="icinga2-satellite-2.matrix.lan"
	SALT=$(echo ${s} \| sha256sum \| cut -f 1 -d ' ')

	[ -d ${DIR} ] && rm -rf ${DIR}
	[ -d ${DIR} ] \|\| mkdir -vp ${DIR}
	chown icinga: ${DIR}

	icinga2 pki new-cert \
	--cn ${SATELLITE} \
	--key ${DIR}/${SATELLITE}.key \
	--csr ${DIR}/${SATELLITE}.csr

	icinga2 pki sign-csr \
	--csr ${DIR}/${SATELLITE}.csr \
	--cert ${DIR}/${SATELLITE}.crt

	icinga2 pki save-cert \
	--key ${DIR}/${SATELLITE}.key \
	--cert ${DIR}/${SATELLITE}.crt \
	--trustedcert ${DIR}/trusted-master.crt \
	--host icinga2-master.matrix.lan

	ticket=$(icinga2 pki ticket \
	--cn icinga2-master.matrix.lan \
	--salt ${SALT})

	icinga2 pki request \
	--host icinga2-master.matrix.lan \
	--port 5665 \
	--ticket ${ticket} \
	--key ${DIR}/${SATELLITE}.key \
	--cert ${DIR}/${SATELLITE}.crt \
	--trustedcert ${DIR}/trusted-master.crt \
	--ca /var/lib/icinga2/certs/ca.crt
	/etc/icinga2 # ./test.sh
	created directory: '/tmp/icinga-pki/xxxxxx'
	information/base: Writing private key to '/tmp/icinga-pki/xxxxxx/icinga2-satellite-2.matrix.lan.key'.
	information/base: Writing certificate signing request to '/tmp/icinga-pki/xxxxxx/icinga2-satellite-2.matrix.lan.csr'.
	information/pki: Writing certificate to file '/tmp/icinga-pki/xxxxxx/icinga2-satellite-2.matrix.lan.crt'.
	information/cli: Retrieving X.509 certificate for 'icinga2-master.matrix.lan:5665'.

	Subject: CN = icinga2-master.matrix.lan
	Issuer: CN = Icinga CA
	Valid From: Nov 19 08:17:55 2017 GMT
	Valid Until: Nov 15 08:17:55 2032 GMT
	Fingerprint: 3B 60 03 E6 55 65 C5 08 29 FC D5 D0 39 63 31 EF D1 DE F4 B8
	***
	*** You have to ensure that this certificate actually matches the parent
	*** instance's certificate in order to avoid man-in-the-middle attacks.
	***
	information/pki: Writing certificate to file '/tmp/icinga-pki/xxxxxx/trusted-master.crt'.
	critical/cli: !!! The certificate for CN 'icinga2-satellite-2.matrix.lan' cannot be renewed yet.