Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance CSR Autosigning (CA proxy, etc.) #5450

Closed
dnsmichi opened this issue Aug 2, 2017 · 17 comments
Closed

Enhance CSR Autosigning (CA proxy, etc.) #5450

dnsmichi opened this issue Aug 2, 2017 · 17 comments
Assignees
Labels
area/cli Command line helpers area/distributed Distributed monitoring (master, satellites, clients) blocker Blocks a release or needs immediate attention enhancement New feature or request
Milestone

Comments

@dnsmichi
Copy link
Contributor

dnsmichi commented Aug 2, 2017

Description

Sponsored feature request.

Problem

Three level clusters where the clients should send their certificate signing requests to the master.

Clients need a direct connection to the CSR-Auto-Signing master. The satellites cannot forward the request.

Workarounds exist:

  • Temporarily allow client connection to the master
  • Manage and roll certificates with separate provision tools

Possible Solutions

Clients sends a signing request to the parent endpoint, which forwards the signing request to the master.
The master answers the request, and sends back the signed certificate.
The satellite stores the received certificate and sends it back to the client once received.

This is an asynchronous operation and requires the client to reconnect (which it already does).

The SSL handshake will fail (self-signed certificate), but the parent node needs to send back
a signed certificate, if any.

Client <-> Satellite

  • Send pki::RequestCertificate with CSR and ticket (optional)

Reconnect cycle. Store certificate in /var/lib/icinga2/pki (TODO)
Symlink /etc/icinga2/pki to /var/lib/icinga2/pki (Windows?) (TODO)

Satellite <-> Client

1.)

  • Forward pki::RequestCertificate to parent
  • Close the clients connection

2.)

  • Client connects, have local cached signed certificate?

  • Send back

  • forward possible pki::RequestCertificate

CSR Master <-> Satellite

  • if request contains a ticket, always immediately answer

  • otherwise write unaccepted CSR to local "todo" cache (TODO, nice2have)

  • if there are accepted signed certificates for the connecting endpoint and child zones, send them back (TODO, nice2have)

Satellite <-> CSR Master

  • forward all pki::RequestCertificate messages to the master
  • receive signed certificates for child zones, cache them

Housekeeping

Allow to purge obsolete requests. Best is a directory on disk which the user may control.

Problems

The client does not run as root, and cannot override /etc/icinga2/pki at runtime. Needs to store its
certificate in /var/lib/icinga2/pki

Ensure that the connecting client really is the one who should receive the certificate.

How about the trusted-master.crt fetch - this request needs to be proxied too.

Additional Benefits

Optional Ticket

Make the ticket optional. CSRs on the master without a valid ticket are not automatically answered.
Instead, there is a CLI command available which allows to manually sign those requests (one by one, with certificate prompt similar to Puppet).

Master just sends signed certificates back to corresponding clients.

Design Draft

ca_proxy_draft

Storage

Migration is required, new certificates and requests will be stored here.

/var/lib/icinga2
- ca
- certs (moved from /etc/icinga2/pki)
- certificate-requests

Inspired by https://docs.puppet.com/puppet/5.1/dirs_ssldir.html

Tasks

ca-proxy-tasks

@dnsmichi dnsmichi added area/cli Command line helpers area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request labels Aug 2, 2017
@dnsmichi dnsmichi added this to the 2.8.0 milestone Aug 2, 2017
@dnsmichi
Copy link
Contributor Author

Updated the description with ongoing tasks.

@dnsmichi dnsmichi added the blocker Blocks a release or needs immediate attention label Aug 22, 2017
@dnsmichi
Copy link
Contributor Author

Message routing draft.

ca_proxy_message_routing

@gunnarbeutner
Copy link
Contributor

Here's the updated TODO list:

screen shot 2017-08-24 at 15 25 16

@gunnarbeutner
Copy link
Contributor

Updated TODO list: ca-proxy-2017-08-29.pdf

@gunnarbeutner
Copy link
Contributor

Updated TODO list: ca-proxy-2017-08-30.pdf

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 5, 2017

Ongoing tests. Cli commands, log messages and debug logs will change.

Two Level Scenario

Should work as before, bonus: ticket less signing on the master.

Ticket-less

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca list
Fingerprint                                                      | Timestamp           | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
0d50cfb5bb9e479c776032b3771e636025bdae0c993612ca982c658efe0c5914 | 2017/09/05 17:30:21 |        | CN = satellite
michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca sign 0d50cfb5bb9e479c776032b3771e636025bdae0c993612ca982c658efe0c5914
information/cli: Signed certificate for 'CN = satellite'.
michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca list
Fingerprint                                                      | Timestamp           | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
0d50cfb5bb9e479c776032b3771e636025bdae0c993612ca982c658efe0c5914 | 2017/09/05 17:30:21 | *      | CN = satellite

Client disconnect:

[2017-09-05 17:35:27 +0200] information/JsonRpcConnection: No messages for identity 'master' have been received in the last 60 seconds.
[2017-09-05 17:35:27 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master'
[2017-09-05 17:35:27 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master'
[2017-09-05 17:35:27 +0200] warning/ApiListener: Removing API client for endpoint 'master'. 0 API clients left.
[2017-09-05 17:35:27 +0200] warning/ApiListener: Removing API client for endpoint 'master'. 0 API clients left.

Reconnect

[2017-09-05 17:36:12 +0200] information/ApiListener: Reconnecting to endpoint 'master' via host '127.0.0.1' and port '5665'
[2017-09-05 17:36:12 +0200] information/ApiListener: New client connection for identity 'master' to [127.0.0.1]:5665
>> {"jsonrpc":"2.0","method":"icinga::Hello","params":{}}
[2017-09-05 17:36:12 +0200] information/ApiListener: Finished reconnecting to endpoint 'master' via host '127.0.0.1' and port '5665'
[2017-09-05 17:36:12 +0200] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint 'master'.
>> {"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":""}}
[2017-09-05 17:36:12 +0200] information/ApiListener: Sending config updates for endpoint 'master' in zone 'master'.
[2017-09-05 17:36:12 +0200] information/ApiListener: Finished sending config file updates for endpoint 'master' in zone 'master'.
[2017-09-05 17:36:12 +0200] information/ApiListener: Syncing runtime objects to endpoint 'master'.
>> {"jsonrpc":"2.0","method":"config::UpdateObject","params":{"config":"object Downtime \"mbmif.int.netways.de-1504625532-0\" ignore_on_error {\n\tauthor = \"icingaadmin\"\n\tcomment = \"Scheduled downtime for backup\"\n\tconfig_owner = \"satellite!load!backup-downtime\"\n\tduration = 0.000000\n\tend_time = 1504659600.000000\n\tentry_time = 1504625532.103568\n\tfixed = true\n\thost_name = \"satellite\"\n\tscheduled_by = \"satellite!load!backup-downtime\"\n\tservice_name = \"load\"\n\tstart_time = 1504656000.000000\n\ttriggered_by = \"\"\n\tversion = 1504625532.103645\n}\n","modified_attributes":{},"name":"satellite!load!mbmif.int.netways.de-1504625532-0","original_attributes":[],"type":"Downtime","version":1504625532.1036450863}}
[2017-09-05 17:36:12 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'master'.
[2017-09-05 17:36:12 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'master' in zone 'master'.
[2017-09-05 17:36:12 +0200] information/ApiListener: Sending replay log for endpoint 'master' in zone 'master'.
<< {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIExzCCAq+gAwIBAgIVAJs4XXaa+dl5APBi4LbNU0axOMApMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDUxNTM0NTVaFw0zMjA5\nMDExNTM0NTVaMBQxEjAQBgNVBAMMCXNhdGVsbGl0ZTCCAiIwDQYJKoZIhvcNAQEB\nBQADggIPADCCAgoCggIBAM9Vd85lalb/AS4QrFn92WFGduvOwNqMps0Idmp7QrH/\n1MZQ7Ic5RmoxBcaa8BTi/BimlDUVEf3CY9DNjKrn81L5zrrcTm72ZAH/8SLQ4mzh\nt72U/79BkI1DLIW+Y273Rxz1u+3tyTtxGiPiQBVeHEfwSBMEl+ITpmzBDt+YBHBB\nYhPPlKJs6niAioQOIqScPsZlGA95SiU7zwddg49If6LZv0PwEfAdtT+zmLyK0r2Y\nWtl8S/3SOMXpxWCTivUjy35w2pS29Ms00Wy/CPk+Yz3Rlo5/zlSytfvTSKVyvyrp\nrHKYjuhodog/iVCYTLw1ArsLjtQCST82oYYcizA/pVV6k3gF9vJibqPiJjsJNA/O\nowoDmHpyct6FXi91peCYK5WTsdaDAOMtLyex3MDGfCxWHiIEXiCSuA+3KsEDLvrh\nzhQliqw3NmTw3AGaQNfhOszW7sXvfjrCpvkpLlIyzs0cycwE0YvRTW9fKYNgRI6h\nZ2OAsjc7dm7yEpVaqjqtXhnZT3tcLp1icTc37hrEHy1RJTZEZZaM6W/3Gdbszbmn\narf/NrrciiFs2BnBS21BTDWPOiaaXGgXl5wQ+Ok3TSP+tvpQO7k6UjqQKHYBjzlA\n/Es8Lh752Z6FwVqkAADd3hehWBRIQbXvSKeyfv1LInbqxmMts2YfyUcBnu+QPyeN\nAgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBACRMAiY6\nAdbdFBRFr5UjTD6146gLnDetcszcEgYHZJ2vuoe78xev75wSNpTd8ANoRxUC0x1t\nm6j/Y6fenNPOEjymD57ctKFYK4AiImqQPevuhbLdKIBXPH8Y3HNHJbhtL6nzqEVw\n+GTfzmK3BilceYn6QNFw1JDw2CTCsTY0Jmq6jTPN9s62UZEk7vW+0e+t+p2ENIuv\np9pyEcj/lDdqyeHziWpEthzey76bZ0UxrGABHXf2u7tt411WtbHYQkYQujz+rCpE\nQySsGwY7BQGaXYEovfL4ZhY9vWsZlWfFp6y5CgezE5eMp8COW+kk5rTGpEnjt5a7\nQycXtBltA9AywCFCen9O0l9Vtvk4SArJuuJieEMqwhDDwFADctwxD/w5m0wnMiv0\ncums8pBxoGeCCgcITXBXDULLTHdQpNyOTQG75CAV/ice2LFZjqepNP1R30byz2TW\n8LNBz/j2IPE29ZBhG7/mpN/ctyUiaghDxZGZyHasR73gjHoqWwD9ltyCHwxe2PKS\nSh9hZ7lu694aPLOmxk3UxOgbkk114SUbtkLJPrcQ0LYZzwhq9F1HTFp0F9Z+jYyS\nLXhKZQrEFL+rGJRXmiDh5+1CTsSy1Yj7IToSZ5nB1r1GbcD9kmLU+PtEksOGt7gt\n+Oq4HyQrL6GrNUq+Od4YGFyl/yAbLAKK8Rjg\n-----END CERTIFICATE-----\n","fingerprint_request":"0d50cfb5bb9e479c776032b3771e636025bdae0c993612ca982c658efe0c5914","status_code":0.0}}
>> {"jsonrpc":"2.0","method":"log::SetLogPosition","params":{"log_position":1504625652.0}}
[2017-09-05 17:36:12 +0200] warning/JsonRpcConnection: {
	ca = "-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n"
	cert = "-----BEGIN CERTIFICATE-----\nMIIExzCCAq+gAwIBAgIVAJs4XXaa+dl5APBi4LbNU0axOMApMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDUxNTM0NTVaFw0zMjA5\nMDExNTM0NTVaMBQxEjAQBgNVBAMMCXNhdGVsbGl0ZTCCAiIwDQYJKoZIhvcNAQEB\nBQADggIPADCCAgoCggIBAM9Vd85lalb/AS4QrFn92WFGduvOwNqMps0Idmp7QrH/\n1MZQ7Ic5RmoxBcaa8BTi/BimlDUVEf3CY9DNjKrn81L5zrrcTm72ZAH/8SLQ4mzh\nt72U/79BkI1DLIW+Y273Rxz1u+3tyTtxGiPiQBVeHEfwSBMEl+ITpmzBDt+YBHBB\nYhPPlKJs6niAioQOIqScPsZlGA95SiU7zwddg49If6LZv0PwEfAdtT+zmLyK0r2Y\nWtl8S/3SOMXpxWCTivUjy35w2pS29Ms00Wy/CPk+Yz3Rlo5/zlSytfvTSKVyvyrp\nrHKYjuhodog/iVCYTLw1ArsLjtQCST82oYYcizA/pVV6k3gF9vJibqPiJjsJNA/O\nowoDmHpyct6FXi91peCYK5WTsdaDAOMtLyex3MDGfCxWHiIEXiCSuA+3KsEDLvrh\nzhQliqw3NmTw3AGaQNfhOszW7sXvfjrCpvkpLlIyzs0cycwE0YvRTW9fKYNgRI6h\nZ2OAsjc7dm7yEpVaqjqtXhnZT3tcLp1icTc37hrEHy1RJTZEZZaM6W/3Gdbszbmn\narf/NrrciiFs2BnBS21BTDWPOiaaXGgXl5wQ+Ok3TSP+tvpQO7k6UjqQKHYBjzlA\n/Es8Lh752Z6FwVqkAADd3hehWBRIQbXvSKeyfv1LInbqxmMts2YfyUcBnu+QPyeN\nAgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBACRMAiY6\nAdbdFBRFr5UjTD6146gLnDetcszcEgYHZJ2vuoe78xev75wSNpTd8ANoRxUC0x1t\nm6j/Y6fenNPOEjymD57ctKFYK4AiImqQPevuhbLdKIBXPH8Y3HNHJbhtL6nzqEVw\n+GTfzmK3BilceYn6QNFw1JDw2CTCsTY0Jmq6jTPN9s62UZEk7vW+0e+t+p2ENIuv\np9pyEcj/lDdqyeHziWpEthzey76bZ0UxrGABHXf2u7tt411WtbHYQkYQujz+rCpE\nQySsGwY7BQGaXYEovfL4ZhY9vWsZlWfFp6y5CgezE5eMp8COW+kk5rTGpEnjt5a7\nQycXtBltA9AywCFCen9O0l9Vtvk4SArJuuJieEMqwhDDwFADctwxD/w5m0wnMiv0\ncums8pBxoGeCCgcITXBXDULLTHdQpNyOTQG75CAV/ice2LFZjqepNP1R30byz2TW\n8LNBz/j2IPE29ZBhG7/mpN/ctyUiaghDxZGZyHasR73gjHoqWwD9ltyCHwxe2PKS\nSh9hZ7lu694aPLOmxk3UxOgbkk114SUbtkLJPrcQ0LYZzwhq9F1HTFp0F9Z+jYyS\nLXhKZQrEFL+rGJRXmiDh5+1CTsSy1Yj7IToSZ5nB1r1GbcD9kmLU+PtEksOGt7gt\n+Oq4HyQrL6GrNUq+Od4YGFyl/yAbLAKK8Rjg\n-----END CERTIFICATE-----\n"
	fingerprint_request = "0d50cfb5bb9e479c776032b3771e636025bdae0c993612ca982c658efe0c5914"
	status_code = 0.000000
}
[2017-09-05 17:36:12 +0200] warning/JsonRpcConnection: Received certificate update message for CN 'satellite'
[2017-09-05 17:36:12 +0200] information/JsonRpcConnection: Updating the client certificate for the ApiListener object
[2017-09-05 17:36:12 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master'
[2017-09-05 17:36:12 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master'
[2017-09-05 17:36:12 +0200] warning/ApiListener: Removing API client for endpoint 'master'. 0 API clients left.

Certificate is updated on disk and in-memory including a reconnect to re-establish the connection using the signed certificates.

Ticket

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a pki ticket --cn 'satellite'
f814303a67603e458812adefa615a9b13ba1e295

Client wizard with ticket:

michi@mbmif ~/coding/testing/icinga2 (master *) $ sudo ./icinga2b node wizard
Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.

Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]:
Starting the Node setup routine...
Please specify the common name (CN) [mbmif.int.netways.de]: satellite
Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): master
Do you want to establish a connection to the master from this node? [Y/n]:
Please fill out the master connection information:
Master endpoint host (Your master's IP address or FQDN): 127.0.0.1
Master endpoint port [5665]:
Add more master endpoints? [y/N]:
information/base: Writing private key to 'var-b/lib/icinga2/pki//satellite.key'.
information/base: Writing X509 certificate to 'var-b/lib/icinga2/pki//satellite.crt'.
information/cli: Fetching public certificate from master (127.0.0.1, 5665):

Certificate information:

 Subject:     CN = master
 Issuer:      CN = Icinga CA
 Valid From:  Sep  5 12:41:06 2017 GMT
 Valid Until: Sep  1 12:41:06 2032 GMT
 Fingerprint: 44 96 4E 45 06 36 78 1B 26 24 21 F2 FF B9 E7 39 A2 31 0E D1

Is this information correct? [y/N]: y
information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn 'satellite'): f814303a67603e458812adefa615a9b13ba1e295
information/cli: Requesting certificate with ticket 'f814303a67603e458812adefa615a9b13ba1e295'.
information/cli: Created backup file 'var-b/lib/icinga2/pki//satellite.crt.orig'.
>> {"id":"mbmif.int.netways.de-1504626031-1","jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":"f814303a67603e458812adefa615a9b13ba1e295"}}
<< {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIExzCCAq+gAwIBAgIVAJQOT8dxcUo/jrCL8N8Ac4YsHa1FMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDUxNTQwMzFaFw0zMjA5\nMDExNTQwMzFaMBQxEjAQBgNVBAMMCXNhdGVsbGl0ZTCCAiIwDQYJKoZIhvcNAQEB\nBQADggIPADCCAgoCggIBAKVTQw+9JVf8WDvmMMBnubIX7k6GSC/4UMsY4KX+XQE/\nj0CtLTh8AaXwvCyL7wWW7cKwWP9Gq5p40383DJ/Yj+2pxDKMXps/hSnzmqyz+3n/\nSwWGmw6FuXz7ikTj5STzoIyMw3/87c9fefQk8L2cPixoe6f6S/YsuRZeLwNR8bx7\nmHU/zkrHtPZG39Y7sm56S3Hh3cz7rQTMkqRevF4wbC4NPK/FGkKvoT/HzXO9s+aC\nzTn7uhb8xrysFQVnFMKqnkfZ+xBapiHHQK+5Q4RpQddl0Rnmtnx3DoSP52x3qmoP\nfKPGwYP8v+0yI6BCvYWhRKJGQXB8q/s1jkzFALqpXQumGepD7pR4/++dscDZQ9kG\nOnXH/6WyWFBD74PZ2LD9llwkYoltVpM6qcOKmfKxHZuq/if2/hjf8TT/EGjzv/zs\n7VOiQlrf72RnBIOAZin4Iu6CEPwZ5CffzJZ6gdmi/nSxn6v2L4U2TS/zyjk9XGTJ\n4tCfeOgHogtV/bZkiIov27W5pzIK5SRwVlukh8Zn6jX7SNy+g+aENBD2HdTKrt+v\nauhz/zQwZwgWdayG1R4FLM1ByfsIUH0/GIpFGBJRZ6EElZfZu20lCs4evJPgC+6T\n56+jrW7mfYZ71bIjXD97XjKMzHDYNQ1zp8AOBwQG3RyN3xCTHx3iljVJPg12wGbj\nAgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAKo4JVi5\naEIENfVk3s9Q6Mdhite2CUYNF+L+gJjS2wQNV+AVn+EW5fcV7n4JhPTKV6wDWPZf\n0G2HNd4OSByesvzBQ/M6oPipRqsJbAP3qBPf60YucefxzxKAy08dsQ0Z3/fGzoxQ\n7jxlBrfOK39ITbppqt/dGCHM08qOpwrtpQKXqowp3Nb78EpOhrpCh967lW8Qt6Yo\neLWo4ZM3LDdDOlTqMEnRx0k8RSXgQyHDzGulqslarjOMYSZGemXSOK//N5XP/ngp\ny9tJ1g8Qmx7nu2BxsHU1nQL9QdYm5RVIjf4ddMhLPv5sa4N566VC3t60yp7qBbpR\n5c2aZ0v45I5/w0r/qsrkDI34wdMhp906LefIG3eYyr3AtYsoStYnCXWMU6HV5PWW\nQbDzk+6QA7/32Lmw1LNubYKWvvy31U1tfCKbSSLdD4AsKZ5X7Ozmq5Ddl5dLVMmz\nMCZaKq0r8KeagM0yVyXn9nDkZ/288R+BUopuQtBwyKiaXzg7fPPc/vQj+ZSbL0PM\nRU4OsE2rOBLjygKpEkAtWAU6OrqpwXI+9uCMhbEGWLJHLEytpcAAKRDVPgpFvccZ\nbmyxUsa+n9t3FM9xlF5KHT8r09HlV01ukgWe7FkLzQlbefspBum2TBjln+5gYUKX\nIOmpUqTPoZa/JWY+/U1reuid7lrYzvdtcpin\n-----END CERTIFICATE-----\n","fingerprint_request":"f75fc8522cc5a8528c278964f4d7414ebf9576b248a237df14d263a47f79b0d9","status_code":0.0}}
<< {"id":"mbmif.int.netways.de-1504626031-1","jsonrpc":"2.0","result":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIExzCCAq+gAwIBAgIVAJQOT8dxcUo/jrCL8N8Ac4YsHa1FMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDUxNTQwMzFaFw0zMjA5\nMDExNTQwMzFaMBQxEjAQBgNVBAMMCXNhdGVsbGl0ZTCCAiIwDQYJKoZIhvcNAQEB\nBQADggIPADCCAgoCggIBAKVTQw+9JVf8WDvmMMBnubIX7k6GSC/4UMsY4KX+XQE/\nj0CtLTh8AaXwvCyL7wWW7cKwWP9Gq5p40383DJ/Yj+2pxDKMXps/hSnzmqyz+3n/\nSwWGmw6FuXz7ikTj5STzoIyMw3/87c9fefQk8L2cPixoe6f6S/YsuRZeLwNR8bx7\nmHU/zkrHtPZG39Y7sm56S3Hh3cz7rQTMkqRevF4wbC4NPK/FGkKvoT/HzXO9s+aC\nzTn7uhb8xrysFQVnFMKqnkfZ+xBapiHHQK+5Q4RpQddl0Rnmtnx3DoSP52x3qmoP\nfKPGwYP8v+0yI6BCvYWhRKJGQXB8q/s1jkzFALqpXQumGepD7pR4/++dscDZQ9kG\nOnXH/6WyWFBD74PZ2LD9llwkYoltVpM6qcOKmfKxHZuq/if2/hjf8TT/EGjzv/zs\n7VOiQlrf72RnBIOAZin4Iu6CEPwZ5CffzJZ6gdmi/nSxn6v2L4U2TS/zyjk9XGTJ\n4tCfeOgHogtV/bZkiIov27W5pzIK5SRwVlukh8Zn6jX7SNy+g+aENBD2HdTKrt+v\nauhz/zQwZwgWdayG1R4FLM1ByfsIUH0/GIpFGBJRZ6EElZfZu20lCs4evJPgC+6T\n56+jrW7mfYZ71bIjXD97XjKMzHDYNQ1zp8AOBwQG3RyN3xCTHx3iljVJPg12wGbj\nAgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAKo4JVi5\naEIENfVk3s9Q6Mdhite2CUYNF+L+gJjS2wQNV+AVn+EW5fcV7n4JhPTKV6wDWPZf\n0G2HNd4OSByesvzBQ/M6oPipRqsJbAP3qBPf60YucefxzxKAy08dsQ0Z3/fGzoxQ\n7jxlBrfOK39ITbppqt/dGCHM08qOpwrtpQKXqowp3Nb78EpOhrpCh967lW8Qt6Yo\neLWo4ZM3LDdDOlTqMEnRx0k8RSXgQyHDzGulqslarjOMYSZGemXSOK//N5XP/ngp\ny9tJ1g8Qmx7nu2BxsHU1nQL9QdYm5RVIjf4ddMhLPv5sa4N566VC3t60yp7qBbpR\n5c2aZ0v45I5/w0r/qsrkDI34wdMhp906LefIG3eYyr3AtYsoStYnCXWMU6HV5PWW\nQbDzk+6QA7/32Lmw1LNubYKWvvy31U1tfCKbSSLdD4AsKZ5X7Ozmq5Ddl5dLVMmz\nMCZaKq0r8KeagM0yVyXn9nDkZ/288R+BUopuQtBwyKiaXzg7fPPc/vQj+ZSbL0PM\nRU4OsE2rOBLjygKpEkAtWAU6OrqpwXI+9uCMhbEGWLJHLEytpcAAKRDVPgpFvccZ\nbmyxUsa+n9t3FM9xlF5KHT8r09HlV01ukgWe7FkLzQlbefspBum2TBjln+5gYUKX\nIOmpUqTPoZa/JWY+/U1reuid7lrYzvdtcpin\n-----END CERTIFICATE-----\n","fingerprint_request":"f75fc8522cc5a8528c278964f4d7414ebf9576b248a237df14d263a47f79b0d9","status_code":0.0}}
information/cli: Writing CA certificate to file 'var-b/lib/icinga2/pki//ca.crt'.
information/cli: Writing signed certificate to file 'var-b/lib/icinga2/pki//satellite.crt'.
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []: 5666

Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y
information/cli: Disabling the Notification feature.
warning/cli: Feature 'notification' already disabled.
information/cli: Enabling the ApiListener feature.
warning/cli: Feature 'api' already enabled.
warning/cli: Backup file 'etc-b/icinga2/features-available/api.conf.orig' already exists. Skipping backup.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file 'etc-b/icinga2/zones.conf'.
warning/cli: Backup file 'etc-b/icinga2/zones.conf.orig' already exists. Skipping backup.
warning/cli: CN 'satellite' does not match the default FQDN 'mbmif.int.netways.de'. Requires update for NodeName constant in constants.conf!
information/cli: Updating constants.conf.
warning/cli: Backup file 'etc-b/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Updating constants file 'etc-b/icinga2/constants.conf'.
information/cli: Updating constants file 'etc-b/icinga2/constants.conf'.
Done.

Now restart your Icinga 2 daemon to finish the installation!

Master:

[2017-09-05 17:40:31 +0200] information/ApiListener: New client connection for identity 'satellite' from [::ffff:127.0.0.1]:64550 (certificate validation failed: code 18: self signed certificate)
<< {"id":"mbmif.int.netways.de-1504626031-1","jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":"f814303a67603e458812adefa615a9b13ba1e295"}}
>> {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIExzCCAq+gAwIBAgIVAJQOT8dxcUo/jrCL8N8Ac4YsHa1FMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDUxNTQwMzFaFw0zMjA5\nMDExNTQwMzFaMBQxEjAQBgNVBAMMCXNhdGVsbGl0ZTCCAiIwDQYJKoZIhvcNAQEB\nBQADggIPADCCAgoCggIBAKVTQw+9JVf8WDvmMMBnubIX7k6GSC/4UMsY4KX+XQE/\nj0CtLTh8AaXwvCyL7wWW7cKwWP9Gq5p40383DJ/Yj+2pxDKMXps/hSnzmqyz+3n/\nSwWGmw6FuXz7ikTj5STzoIyMw3/87c9fefQk8L2cPixoe6f6S/YsuRZeLwNR8bx7\nmHU/zkrHtPZG39Y7sm56S3Hh3cz7rQTMkqRevF4wbC4NPK/FGkKvoT/HzXO9s+aC\nzTn7uhb8xrysFQVnFMKqnkfZ+xBapiHHQK+5Q4RpQddl0Rnmtnx3DoSP52x3qmoP\nfKPGwYP8v+0yI6BCvYWhRKJGQXB8q/s1jkzFALqpXQumGepD7pR4/++dscDZQ9kG\nOnXH/6WyWFBD74PZ2LD9llwkYoltVpM6qcOKmfKxHZuq/if2/hjf8TT/EGjzv/zs\n7VOiQlrf72RnBIOAZin4Iu6CEPwZ5CffzJZ6gdmi/nSxn6v2L4U2TS/zyjk9XGTJ\n4tCfeOgHogtV/bZkiIov27W5pzIK5SRwVlukh8Zn6jX7SNy+g+aENBD2HdTKrt+v\nauhz/zQwZwgWdayG1R4FLM1ByfsIUH0/GIpFGBJRZ6EElZfZu20lCs4evJPgC+6T\n56+jrW7mfYZ71bIjXD97XjKMzHDYNQ1zp8AOBwQG3RyN3xCTHx3iljVJPg12wGbj\nAgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAKo4JVi5\naEIENfVk3s9Q6Mdhite2CUYNF+L+gJjS2wQNV+AVn+EW5fcV7n4JhPTKV6wDWPZf\n0G2HNd4OSByesvzBQ/M6oPipRqsJbAP3qBPf60YucefxzxKAy08dsQ0Z3/fGzoxQ\n7jxlBrfOK39ITbppqt/dGCHM08qOpwrtpQKXqowp3Nb78EpOhrpCh967lW8Qt6Yo\neLWo4ZM3LDdDOlTqMEnRx0k8RSXgQyHDzGulqslarjOMYSZGemXSOK//N5XP/ngp\ny9tJ1g8Qmx7nu2BxsHU1nQL9QdYm5RVIjf4ddMhLPv5sa4N566VC3t60yp7qBbpR\n5c2aZ0v45I5/w0r/qsrkDI34wdMhp906LefIG3eYyr3AtYsoStYnCXWMU6HV5PWW\nQbDzk+6QA7/32Lmw1LNubYKWvvy31U1tfCKbSSLdD4AsKZ5X7Ozmq5Ddl5dLVMmz\nMCZaKq0r8KeagM0yVyXn9nDkZ/288R+BUopuQtBwyKiaXzg7fPPc/vQj+ZSbL0PM\nRU4OsE2rOBLjygKpEkAtWAU6OrqpwXI+9uCMhbEGWLJHLEytpcAAKRDVPgpFvccZ\nbmyxUsa+n9t3FM9xlF5KHT8r09HlV01ukgWe7FkLzQlbefspBum2TBjln+5gYUKX\nIOmpUqTPoZa/JWY+/U1reuid7lrYzvdtcpin\n-----END CERTIFICATE-----\n","fingerprint_request":"f75fc8522cc5a8528c278964f4d7414ebf9576b248a237df14d263a47f79b0d9","status_code":0.0}}
>> {"id":"mbmif.int.netways.de-1504626031-1","jsonrpc":"2.0","result":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIExzCCAq+gAwIBAgIVAJQOT8dxcUo/jrCL8N8Ac4YsHa1FMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDUxNTQwMzFaFw0zMjA5\nMDExNTQwMzFaMBQxEjAQBgNVBAMMCXNhdGVsbGl0ZTCCAiIwDQYJKoZIhvcNAQEB\nBQADggIPADCCAgoCggIBAKVTQw+9JVf8WDvmMMBnubIX7k6GSC/4UMsY4KX+XQE/\nj0CtLTh8AaXwvCyL7wWW7cKwWP9Gq5p40383DJ/Yj+2pxDKMXps/hSnzmqyz+3n/\nSwWGmw6FuXz7ikTj5STzoIyMw3/87c9fefQk8L2cPixoe6f6S/YsuRZeLwNR8bx7\nmHU/zkrHtPZG39Y7sm56S3Hh3cz7rQTMkqRevF4wbC4NPK/FGkKvoT/HzXO9s+aC\nzTn7uhb8xrysFQVnFMKqnkfZ+xBapiHHQK+5Q4RpQddl0Rnmtnx3DoSP52x3qmoP\nfKPGwYP8v+0yI6BCvYWhRKJGQXB8q/s1jkzFALqpXQumGepD7pR4/++dscDZQ9kG\nOnXH/6WyWFBD74PZ2LD9llwkYoltVpM6qcOKmfKxHZuq/if2/hjf8TT/EGjzv/zs\n7VOiQlrf72RnBIOAZin4Iu6CEPwZ5CffzJZ6gdmi/nSxn6v2L4U2TS/zyjk9XGTJ\n4tCfeOgHogtV/bZkiIov27W5pzIK5SRwVlukh8Zn6jX7SNy+g+aENBD2HdTKrt+v\nauhz/zQwZwgWdayG1R4FLM1ByfsIUH0/GIpFGBJRZ6EElZfZu20lCs4evJPgC+6T\n56+jrW7mfYZ71bIjXD97XjKMzHDYNQ1zp8AOBwQG3RyN3xCTHx3iljVJPg12wGbj\nAgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAKo4JVi5\naEIENfVk3s9Q6Mdhite2CUYNF+L+gJjS2wQNV+AVn+EW5fcV7n4JhPTKV6wDWPZf\n0G2HNd4OSByesvzBQ/M6oPipRqsJbAP3qBPf60YucefxzxKAy08dsQ0Z3/fGzoxQ\n7jxlBrfOK39ITbppqt/dGCHM08qOpwrtpQKXqowp3Nb78EpOhrpCh967lW8Qt6Yo\neLWo4ZM3LDdDOlTqMEnRx0k8RSXgQyHDzGulqslarjOMYSZGemXSOK//N5XP/ngp\ny9tJ1g8Qmx7nu2BxsHU1nQL9QdYm5RVIjf4ddMhLPv5sa4N566VC3t60yp7qBbpR\n5c2aZ0v45I5/w0r/qsrkDI34wdMhp906LefIG3eYyr3AtYsoStYnCXWMU6HV5PWW\nQbDzk+6QA7/32Lmw1LNubYKWvvy31U1tfCKbSSLdD4AsKZ5X7Ozmq5Ddl5dLVMmz\nMCZaKq0r8KeagM0yVyXn9nDkZ/288R+BUopuQtBwyKiaXzg7fPPc/vQj+ZSbL0PM\nRU4OsE2rOBLjygKpEkAtWAU6OrqpwXI+9uCMhbEGWLJHLEytpcAAKRDVPgpFvccZ\nbmyxUsa+n9t3FM9xlF5KHT8r09HlV01ukgWe7FkLzQlbefspBum2TBjln+5gYUKX\nIOmpUqTPoZa/JWY+/U1reuid7lrYzvdtcpin\n-----END CERTIFICATE-----\n","fingerprint_request":"f75fc8522cc5a8528c278964f4d7414ebf9576b248a237df14d263a47f79b0d9","status_code":0.0}}
[2017-09-05 17:40:31 +0200] warning/JsonRpcConnection: API client disconnected for identity 'satellite'

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 6, 2017

Three level cluster

Ticket based

Master generates client ticket.

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a pki ticket --cn 'agent'
2ee30af7c62c0509421d8b11d82335111b519032

Client sends delayed request.

michi@mbmif ~/coding/testing/icinga2 (master *) $ sudo ./icinga2c node wizard
Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.

Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]:
Starting the Node setup routine...
Please specify the common name (CN) [mbmif.int.netways.de]: agent
Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): satellite
Do you want to establish a connection to the master from this node? [Y/n]:
Please fill out the master connection information:
Master endpoint host (Your master's IP address or FQDN): 127.0.0.1
Master endpoint port [5665]: 5666
Add more master endpoints? [y/N]:
information/base: Writing private key to 'var-c/lib/icinga2/certs//agent.key'.
information/base: Writing X509 certificate to 'var-c/lib/icinga2/certs//agent.crt'.
information/cli: Fetching public certificate from master (127.0.0.1, 5666):

Certificate information:

 Subject:     CN = satellite
 Issuer:      CN = Icinga CA
 Valid From:  Sep  5 15:40:31 2017 GMT
 Valid Until: Sep  1 15:40:31 2032 GMT
 Fingerprint: DE C1 45 F5 AB FB D1 44 CD 93 FE 37 2F 49 A4 A6 DF 01 77 44

Is this information correct? [y/N]: y
information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn 'agent'): 2ee30af7c62c0509421d8b11d82335111b519032
information/cli: Requesting certificate with ticket '2ee30af7c62c0509421d8b11d82335111b519032'.
information/cli: Created backup file 'var-c/lib/icinga2/certs//agent.crt.orig'.
>> {"id":"mbmif.int.netways.de-1504691835-1","jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":"2ee30af7c62c0509421d8b11d82335111b519032"}}
<< {"id":"mbmif.int.netways.de-1504691835-1","jsonrpc":"2.0","result":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","error":"Certificate request is pending. Waiting for approval from the parent Icinga instance.","fingerprint_request":"6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620","status_code":2.0}}
information/cli: Writing CA certificate to file 'var-c/lib/icinga2/certs//ca.crt'.
information/cli: !!!!!!
information/cli: !!! Certificate request is pending. Waiting for approval from the parent Icinga instance.
information/cli: !!!!!!
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []: 5667

Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y
information/cli: Disabling the Notification feature.
warning/cli: Feature 'notification' already disabled.
information/cli: Enabling the ApiListener feature.
warning/cli: Feature 'api' already enabled.
warning/cli: Backup file 'etc-c/icinga2/features-available/api.conf.orig' already exists. Skipping backup.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file 'etc-c/icinga2/zones.conf'.
warning/cli: Backup file 'etc-c/icinga2/zones.conf.orig' already exists. Skipping backup.
warning/cli: CN 'agent' does not match the default FQDN 'mbmif.int.netways.de'. Requires update for NodeName constant in constants.conf!
information/cli: Updating constants.conf.
warning/cli: Backup file 'etc-c/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Updating constants file 'etc-c/icinga2/constants.conf'.
information/cli: Updating constants file 'etc-c/icinga2/constants.conf'.
Done.

Now restart your Icinga 2 daemon to finish the installation!

Satellite forwards request to the master.

[2017-09-06 11:57:15 +0200] information/ApiListener: New client connection for identity 'agent' from [::ffff:127.0.0.1]:55071 (certificate validation failed: code 18: self signed certificate)
<< {"id":"mbmif.int.netways.de-1504691835-1","jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":"2ee30af7c62c0509421d8b11d82335111b519032"}}
>> {"id":"mbmif.int.netways.de-1504691835-1","jsonrpc":"2.0","result":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","error":"Certificate request is pending. Waiting for approval from the parent Icinga instance.","fingerprint_request":"6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620","status_code":2.0}}
>>
{"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"cert_request":"-----BEGIN CERTIFICATE-----\nMIIEvzCCAqegAwIBAgIVANKQ9IbQhLjIBlMC1gYbjQndC5v9MA0GCSqGSIb3DQEB\nCwUAMBAxDjAMBgNVBAMMBWFnZW50MB4XDTE3MDkwNjA5NTQ1OFoXDTMyMDkwMjA5\nNTQ1OFowEDEOMAwGA1UEAwwFYWdlbnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\nggIKAoICAQDWTF52oDZQoDFGAA4joV7wWuONyILKARsHj+577VsOiXfXXW25BT/R\nmUNumxOLpQnMgULBB/lovWjOxo5dhYrwGDOQqQRjaPgDcrsl/cvKpEliBwiV/Aab\nPcvMO9s1V/ddw7EaZAQ2Fh1oo86uH9XdQAOT2KthNNzIfgvEV6W6SYU2th9xa5kt\nJ6SMT9o1LLzhw8EKRKOAYyoTvtSmYwaJs8v+XyywupDDx7iRbXt21UBrdLBgsHK4\nmIbznbK5gb7QnkJ1MEZKs844LCm/ybGhMGByVHqKpxqvp7fhGtMc8t7Mrwu+YS9+\nXx79elr6PUxCdpvZEwBixs63a8/eI1U/ZAhmJQz54O6ntGCmDBigA6XHgVDWMrGJ\nrYi/uBNLbvAlxbpWhGlExdjUhUi9oLdqvqWL1adu0zqXHihqbfJa3jJXi0G0/lgh\nlfR7gXQG4d9EJryhGW+EOAPvorRegcIErrlnt0BdsnR4nMCz7vD4240rNfIYZCsk\nl8BhLnNIHgcfSMKX3L8whlW531YjEP4TjGWq7w7AKUkzeilPu3yw5y7n/xwU8dQT\nIbAKJ2pelmbYbHQEWqO/WIbsP3cRjT47vqGn972gqgu0eUjHgeQx4VCpkJD8kHqi\nd3hWv2H0eUGRPAc5QYXGt7CQm3d8vLQdQcVxo60vBcpAazd3T32fpQIDAQABoxAw\nDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCrdgcueo8C4qjNcTz0\nSF1xFtnUOutrsc6IAMbM/msTQzSnA+bcjviA7BPzqdwsFzWJblWUHygo8/yUDJD4\naPvaHRfgAKdhhKJv4iIhdDJ8O4uqaXTb5+FNMSS7axvUgbrIMUifnuAhimVYkou4\nONnEBpo9wMmE6mtFL1oKZ/gTEzhc/cRvK9uWDoDhIWYrduvlJeKIpou9Xxu+swmc\nbdFQ7in8bCK+1tH+zcTr+PWu+9CwYouZyKBgHZEvEc/u/BfwY4SK56T5w0zynqiw\n84+I8Y3d4yo66tdV35IdSGIF0nMdCZAj/e+veWi3YfhItzUj8mLoyfeLE9fHQXcM\n0p97bLbXJ52F/yblKEALuOB9rDlBzQ756N8Z1OieutSmHn/k9HCE4t5qzggeU77G\n6dk41AUL2pHSInp9YKDfWh2FWPxYHCyo/7FtxeutZbDlJcJehIdOJbna0oE6lyzg\nkjUA0PmgoDzKFzzN+vOwNg3wNGMmf13qDumBou4SENQflXZdjjGwN0lKeXqhxofa\nHhX8EPQG8L17O366NNmJ6v/DtEDXyeYl1q9GBYeR30mpxlDDWNEXID19Pwk44ttQ\nNgWrQBEFrh5tx3OMrHvCz0Dp7Ea7hrbKQqp62vjhejPhkv5ApyilS74qNsq2X0l6\nRoAfCsl66kf7mrHaN0EmkKrPgw==\n-----END CERTIFICATE-----\n","ticket":"2ee30af7c62c0509421d8b11d82335111b519032"},"ts":1504691835.2810029984}

Master signs the certificate request immediately, since it contains a valid ticket. If not, a warning is logged, i.e. the identity does not match or the ticket hash is invalid.

oDFGAA4joV7wWuONyILKARsHj+577VsOiXfXXW25BT/R\nmUNumxOLpQnMgULBB/lovWjOxo5dhYrwGDOQqQRjaPgDcrsl/cvKpEliBwiV/Aab\nPcvMO9s1V/ddw7EaZAQ2Fh1oo86uH9XdQAOT2KthNNzIfgvEV6W6SYU2th9xa5kt\nJ6SMT9o1LLzhw8EKRKOAYyoTvtSmYwaJs8v+XyywupDDx7iRbXt21UBrdLBgsHK4\nmIbznbK5gb7QnkJ1MEZKs844LCm/ybGhMGByVHqKpxqvp7fhGtMc8t7Mrwu+YS9+\nXx79elr6PUxCdpvZEwBixs63a8/eI1U/ZAhmJQz54O6ntGCmDBigA6XHgVDWMrGJ\nrYi/uBNLbvAlxbpWhGlExdjUhUi9oLdqvqWL1adu0zqXHihqbfJa3jJXi0G0/lgh\nlfR7gXQG4d9EJryhGW+EOAPvorRegcIErrlnt0BdsnR4nMCz7vD4240rNfIYZCsk\nl8BhLnNIHgcfSMKX3L8whlW531YjEP4TjGWq7w7AKUkzeilPu3yw5y7n/xwU8dQT\nIbAKJ2pelmbYbHQEWqO/WIbsP3cRjT47vqGn972gqgu0eUjHgeQx4VCpkJD8kHqi\nd3hWv2H0eUGRPAc5QYXGt7CQm3d8vLQdQcVxo60vBcpAazd3T32fpQIDAQABoxAw\nDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCrdgcueo8C4qjNcTz0\nSF1xFtnUOutrsc6IAMbM/msTQzSnA+bcjviA7BPzqdwsFzWJblWUHygo8/yUDJD4\naPvaHRfgAKdhhKJv4iIhdDJ8O4uqaXTb5+FNMSS7axvUgbrIMUifnuAhimVYkou4\nONnEBpo9wMmE6mtFL1oKZ/gTEzhc/cRvK9uWDoDhIWYrduvlJeKIpou9Xxu+swmc\nbdFQ7in8bCK+1tH+zcTr+PWu+9CwYouZyKBgHZEvEc/u/BfwY4SK56T5w0zynqiw\n84+I8Y3d4yo66tdV35IdSGIF0nMdCZAj/e+veWi3YfhItzUj8mLoyfeLE9fHQXcM\n0p97bLbXJ52F/yblKEALuOB9rDlBzQ756N8Z1OieutSmHn/k9HCE4t5qzggeU77G\n6dk41AUL2pHSInp9YKDfWh2FWPxYHCyo/7FtxeutZbDlJcJehIdOJbna0oE6lyzg\nkjUA0PmgoDzKFzzN+vOwNg3wNGMmf13qDumBou4SENQflXZdjjGwN0lKeXqhxofa\nHhX8EPQG8L17O366NNmJ6v/DtEDXyeYl1q9GBYeR30mpxlDDWNEXID19Pwk44ttQ\nNgWrQBEFrh5tx3OMrHvCz0Dp7Ea7hrbKQqp62vjhejPhkv5ApyilS74qNsq2X0l6\nRoAfCsl66kf7mrHaN0EmkKrPgw==\n-----END CERTIFICATE-----\n","ticket":"2ee30af7c62c0509421d8b11d82335111b519032"},"ts":1504691835.2810029984}


>> {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIEwjCCAqqgAwIBAgIUXiDuNdYrSESkUwJvzk1tsAa/xE8wDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNjA5NTcxNVoXDTMyMDkw\nMjA5NTcxNVowEDEOMAwGA1UEAwwFYWdlbnQwggIiMA0GCSqGSIb3DQEBAQUAA4IC\nDwAwggIKAoICAQDWTF52oDZQoDFGAA4joV7wWuONyILKARsHj+577VsOiXfXXW25\nBT/RmUNumxOLpQnMgULBB/lovWjOxo5dhYrwGDOQqQRjaPgDcrsl/cvKpEliBwiV\n/AabPcvMO9s1V/ddw7EaZAQ2Fh1oo86uH9XdQAOT2KthNNzIfgvEV6W6SYU2th9x\na5ktJ6SMT9o1LLzhw8EKRKOAYyoTvtSmYwaJs8v+XyywupDDx7iRbXt21UBrdLBg\nsHK4mIbznbK5gb7QnkJ1MEZKs844LCm/ybGhMGByVHqKpxqvp7fhGtMc8t7Mrwu+\nYS9+Xx79elr6PUxCdpvZEwBixs63a8/eI1U/ZAhmJQz54O6ntGCmDBigA6XHgVDW\nMrGJrYi/uBNLbvAlxbpWhGlExdjUhUi9oLdqvqWL1adu0zqXHihqbfJa3jJXi0G0\n/lghlfR7gXQG4d9EJryhGW+EOAPvorRegcIErrlnt0BdsnR4nMCz7vD4240rNfIY\nZCskl8BhLnNIHgcfSMKX3L8whlW531YjEP4TjGWq7w7AKUkzeilPu3yw5y7n/xwU\n8dQTIbAKJ2pelmbYbHQEWqO/WIbsP3cRjT47vqGn972gqgu0eUjHgeQx4VCpkJD8\nkHqid3hWv2H0eUGRPAc5QYXGt7CQm3d8vLQdQcVxo60vBcpAazd3T32fpQIDAQAB\noxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBSaneWpv+F8PNE\n9SOWqtyZdvbqEFQYPBL1Of3F8n2KYMyy51ZkaGmKWL9RC3aC+nweKRfABMxA8sa5\n+5qkDD2DZnMqcI3KxlxhnnXTC8lhi0RxS6Uai/zio0E/OYgXHMhYziUkEaXqDzcZ\nYkaORO6szlmEidQ0NcU4nOZOY7Ca57ZZMvqRhaotp5eIOVkKQqYw4+cOWkrjX5VJ\n3Ma8F5iNO62F3wJF17i7Dv04ZgxvKQeCvhVgs3zoptzIaS66g7tKw6icwUuQhhh+\nj7zxU67O+QbNgJXEjY7rVda0/I9Af75jgPjy95KUCFqwQ6S7FU3eCO9bnpStEcuc\nXIad8Sjlnvplz5J1taNpiK/LJM1rK3Vug/SVxojvbMsUFdX5gxaAylcpB92utCL1\nrAJVfUUC9/tkm96+8Dq/10NS+L8k82G+5rFfreg18bJA3HZU2QN+O5hvWDa7iUEC\nBqKrdgjjVN18hqUOxk6idOKGmvP/tn9cQ6bcd1RKBXfkiHacztT1FebEybxTgfoQ\nD+ZNbQKfaGeOcskVtlUd56vj6NmVNPfBTbtio+5ByC2TnJicWOWnUbBr61hO/6kn\nU5CbSAWkBLJdLBDCZsMgYUTU8C7k/gLl+1w42+XeqXEpMrhwRq9b6MF4hMISKuyr\nA5DHBUaikIkElWFNfnsoD/k4Q5lT0Q==\n-----END CERTIFICATE-----\n","fingerprint_request":"6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620","status_code":0.0}}

Satellite receives updated certificate for agent.

<< {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIEwjCCAqqgAwIBAgIUXiDuNdYrSESkUwJvzk1tsAa/xE8wDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNjA5NTcxNVoXDTMyMDkw\nMjA5NTcxNVowEDEOMAwGA1UEAwwFYWdlbnQwggIiMA0GCSqGSIb3DQEBAQUAA4IC\nDwAwggIKAoICAQDWTF52oDZQoDFGAA4joV7wWuONyILKARsHj+577VsOiXfXXW25\nBT/RmUNumxOLpQnMgULBB/lovWjOxo5dhYrwGDOQqQRjaPgDcrsl/cvKpEliBwiV\n/AabPcvMO9s1V/ddw7EaZAQ2Fh1oo86uH9XdQAOT2KthNNzIfgvEV6W6SYU2th9x\na5ktJ6SMT9o1LLzhw8EKRKOAYyoTvtSmYwaJs8v+XyywupDDx7iRbXt21UBrdLBg\nsHK4mIbznbK5gb7QnkJ1MEZKs844LCm/ybGhMGByVHqKpxqvp7fhGtMc8t7Mrwu+\nYS9+Xx79elr6PUxCdpvZEwBixs63a8/eI1U/ZAhmJQz54O6ntGCmDBigA6XHgVDW\nMrGJrYi/uBNLbvAlxbpWhGlExdjUhUi9oLdqvqWL1adu0zqXHihqbfJa3jJXi0G0\n/lghlfR7gXQG4d9EJryhGW+EOAPvorRegcIErrlnt0BdsnR4nMCz7vD4240rNfIY\nZCskl8BhLnNIHgcfSMKX3L8whlW531YjEP4TjGWq7w7AKUkzeilPu3yw5y7n/xwU\n8dQTIbAKJ2pelmbYbHQEWqO/WIbsP3cRjT47vqGn972gqgu0eUjHgeQx4VCpkJD8\nkHqid3hWv2H0eUGRPAc5QYXGt7CQm3d8vLQdQcVxo60vBcpAazd3T32fpQIDAQAB\noxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBSaneWpv+F8PNE\n9SOWqtyZdvbqEFQYPBL1Of3F8n2KYMyy51ZkaGmKWL9RC3aC+nweKRfABMxA8sa5\n+5qkDD2DZnMqcI3KxlxhnnXTC8lhi0RxS6Uai/zio0E/OYgXHMhYziUkEaXqDzcZ\nYkaORO6szlmEidQ0NcU4nOZOY7Ca57ZZMvqRhaotp5eIOVkKQqYw4+cOWkrjX5VJ\n3Ma8F5iNO62F3wJF17i7Dv04ZgxvKQeCvhVgs3zoptzIaS66g7tKw6icwUuQhhh+\nj7zxU67O+QbNgJXEjY7rVda0/I9Af75jgPjy95KUCFqwQ6S7FU3eCO9bnpStEcuc\nXIad8Sjlnvplz5J1taNpiK/LJM1rK3Vug/SVxojvbMsUFdX5gxaAylcpB92utCL1\nrAJVfUUC9/tkm96+8Dq/10NS+L8k82G+5rFfreg18bJA3HZU2QN+O5hvWDa7iUEC\nBqKrdgjjVN18hqUOxk6idOKGmvP/tn9cQ6bcd1RKBXfkiHacztT1FebEybxTgfoQ\nD+ZNbQKfaGeOcskVtlUd56vj6NmVNPfBTbtio+5ByC2TnJicWOWnUbBr61hO/6kn\nU5CbSAWkBLJdLBDCZsMgYUTU8C7k/gLl+1w42+XeqXEpMrhwRq9b6MF4hMISKuyr\nA5DHBUaikIkElWFNfnsoD/k4Q5lT0Q==\n-----END CERTIFICATE-----\n","fingerprint_request":"6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620","status_code":0.0}}
[2017-09-06 11:57:15 +0200] warning/JsonRpcConnection: {
	ca = "-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n"
	cert = "-----BEGIN CERTIFICATE-----\nMIIEwjCCAqqgAwIBAgIUXiDuNdYrSESkUwJvzk1tsAa/xE8wDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNjA5NTcxNVoXDTMyMDkw\nMjA5NTcxNVowEDEOMAwGA1UEAwwFYWdlbnQwggIiMA0GCSqGSIb3DQEBAQUAA4IC\nDwAwggIKAoICAQDWTF52oDZQoDFGAA4joV7wWuONyILKARsHj+577VsOiXfXXW25\nBT/RmUNumxOLpQnMgULBB/lovWjOxo5dhYrwGDOQqQRjaPgDcrsl/cvKpEliBwiV\n/AabPcvMO9s1V/ddw7EaZAQ2Fh1oo86uH9XdQAOT2KthNNzIfgvEV6W6SYU2th9x\na5ktJ6SMT9o1LLzhw8EKRKOAYyoTvtSmYwaJs8v+XyywupDDx7iRbXt21UBrdLBg\nsHK4mIbznbK5gb7QnkJ1MEZKs844LCm/ybGhMGByVHqKpxqvp7fhGtMc8t7Mrwu+\nYS9+Xx79elr6PUxCdpvZEwBixs63a8/eI1U/ZAhmJQz54O6ntGCmDBigA6XHgVDW\nMrGJrYi/uBNLbvAlxbpWhGlExdjUhUi9oLdqvqWL1adu0zqXHihqbfJa3jJXi0G0\n/lghlfR7gXQG4d9EJryhGW+EOAPvorRegcIErrlnt0BdsnR4nMCz7vD4240rNfIY\nZCskl8BhLnNIHgcfSMKX3L8whlW531YjEP4TjGWq7w7AKUkzeilPu3yw5y7n/xwU\n8dQTIbAKJ2pelmbYbHQEWqO/WIbsP3cRjT47vqGn972gqgu0eUjHgeQx4VCpkJD8\nkHqid3hWv2H0eUGRPAc5QYXGt7CQm3d8vLQdQcVxo60vBcpAazd3T32fpQIDAQAB\noxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBSaneWpv+F8PNE\n9SOWqtyZdvbqEFQYPBL1Of3F8n2KYMyy51ZkaGmKWL9RC3aC+nweKRfABMxA8sa5\n+5qkDD2DZnMqcI3KxlxhnnXTC8lhi0RxS6Uai/zio0E/OYgXHMhYziUkEaXqDzcZ\nYkaORO6szlmEidQ0NcU4nOZOY7Ca57ZZMvqRhaotp5eIOVkKQqYw4+cOWkrjX5VJ\n3Ma8F5iNO62F3wJF17i7Dv04ZgxvKQeCvhVgs3zoptzIaS66g7tKw6icwUuQhhh+\nj7zxU67O+QbNgJXEjY7rVda0/I9Af75jgPjy95KUCFqwQ6S7FU3eCO9bnpStEcuc\nXIad8Sjlnvplz5J1taNpiK/LJM1rK3Vug/SVxojvbMsUFdX5gxaAylcpB92utCL1\nrAJVfUUC9/tkm96+8Dq/10NS+L8k82G+5rFfreg18bJA3HZU2QN+O5hvWDa7iUEC\nBqKrdgjjVN18hqUOxk6idOKGmvP/tn9cQ6bcd1RKBXfkiHacztT1FebEybxTgfoQ\nD+ZNbQKfaGeOcskVtlUd56vj6NmVNPfBTbtio+5ByC2TnJicWOWnUbBr61hO/6kn\nU5CbSAWkBLJdLBDCZsMgYUTU8C7k/gLl+1w42+XeqXEpMrhwRq9b6MF4hMISKuyr\nA5DHBUaikIkElWFNfnsoD/k4Q5lT0Q==\n-----END CERTIFICATE-----\n"
	fingerprint_request = "6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620"
	status_code = 0.000000
}
[2017-09-06 11:57:15 +0200] warning/JsonRpcConnection: Received certificate update message for CN 'agent'
var-b/lib/icinga2/certificate-requests//6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620.json
[2017-09-06 11:57:15 +0200] warning/JsonRpcConnection: Saved certificate update for CN 'agent'

Client receives the certificate, stores it on disk and in memory. Disconnects the satellite to enforce valid SSL handshake and trusted relationship automatically.

<< {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIEwjCCAqqgAwIBAgIUXiDuNdYrSESkUwJvzk1tsAa/xE8wDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNjA5NTcxNVoXDTMyMDkw\nMjA5NTcxNVowEDEOMAwGA1UEAwwFYWdlbnQwggIiMA0GCSqGSIb3DQEBAQUAA4IC\nDwAwggIKAoICAQDWTF52oDZQoDFGAA4joV7wWuONyILKARsHj+577VsOiXfXXW25\nBT/RmUNumxOLpQnMgULBB/lovWjOxo5dhYrwGDOQqQRjaPgDcrsl/cvKpEliBwiV\n/AabPcvMO9s1V/ddw7EaZAQ2Fh1oo86uH9XdQAOT2KthNNzIfgvEV6W6SYU2th9x\na5ktJ6SMT9o1LLzhw8EKRKOAYyoTvtSmYwaJs8v+XyywupDDx7iRbXt21UBrdLBg\nsHK4mIbznbK5gb7QnkJ1MEZKs844LCm/ybGhMGByVHqKpxqvp7fhGtMc8t7Mrwu+\nYS9+Xx79elr6PUxCdpvZEwBixs63a8/eI1U/ZAhmJQz54O6ntGCmDBigA6XHgVDW\nMrGJrYi/uBNLbvAlxbpWhGlExdjUhUi9oLdqvqWL1adu0zqXHihqbfJa3jJXi0G0\n/lghlfR7gXQG4d9EJryhGW+EOAPvorRegcIErrlnt0BdsnR4nMCz7vD4240rNfIY\nZCskl8BhLnNIHgcfSMKX3L8whlW531YjEP4TjGWq7w7AKUkzeilPu3yw5y7n/xwU\n8dQTIbAKJ2pelmbYbHQEWqO/WIbsP3cRjT47vqGn972gqgu0eUjHgeQx4VCpkJD8\nkHqid3hWv2H0eUGRPAc5QYXGt7CQm3d8vLQdQcVxo60vBcpAazd3T32fpQIDAQAB\noxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBSaneWpv+F8PNE\n9SOWqtyZdvbqEFQYPBL1Of3F8n2KYMyy51ZkaGmKWL9RC3aC+nweKRfABMxA8sa5\n+5qkDD2DZnMqcI3KxlxhnnXTC8lhi0RxS6Uai/zio0E/OYgXHMhYziUkEaXqDzcZ\nYkaORO6szlmEidQ0NcU4nOZOY7Ca57ZZMvqRhaotp5eIOVkKQqYw4+cOWkrjX5VJ\n3Ma8F5iNO62F3wJF17i7Dv04ZgxvKQeCvhVgs3zoptzIaS66g7tKw6icwUuQhhh+\nj7zxU67O+QbNgJXEjY7rVda0/I9Af75jgPjy95KUCFqwQ6S7FU3eCO9bnpStEcuc\nXIad8Sjlnvplz5J1taNpiK/LJM1rK3Vug/SVxojvbMsUFdX5gxaAylcpB92utCL1\nrAJVfUUC9/tkm96+8Dq/10NS+L8k82G+5rFfreg18bJA3HZU2QN+O5hvWDa7iUEC\nBqKrdgjjVN18hqUOxk6idOKGmvP/tn9cQ6bcd1RKBXfkiHacztT1FebEybxTgfoQ\nD+ZNbQKfaGeOcskVtlUd56vj6NmVNPfBTbtio+5ByC2TnJicWOWnUbBr61hO/6kn\nU5CbSAWkBLJdLBDCZsMgYUTU8C7k/gLl+1w42+XeqXEpMrhwRq9b6MF4hMISKuyr\nA5DHBUaikIkElWFNfnsoD/k4Q5lT0Q==\n-----END CERTIFICATE-----\n","fingerprint_request":"6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620","status_code":0.0}}
[2017-09-06 12:01:39 +0200] warning/JsonRpcConnection: {
	ca = "-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n"
	cert = "-----BEGIN CERTIFICATE-----\nMIIEwjCCAqqgAwIBAgIUXiDuNdYrSESkUwJvzk1tsAa/xE8wDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNjA5NTcxNVoXDTMyMDkw\nMjA5NTcxNVowEDEOMAwGA1UEAwwFYWdlbnQwggIiMA0GCSqGSIb3DQEBAQUAA4IC\nDwAwggIKAoICAQDWTF52oDZQoDFGAA4joV7wWuONyILKARsHj+577VsOiXfXXW25\nBT/RmUNumxOLpQnMgULBB/lovWjOxo5dhYrwGDOQqQRjaPgDcrsl/cvKpEliBwiV\n/AabPcvMO9s1V/ddw7EaZAQ2Fh1oo86uH9XdQAOT2KthNNzIfgvEV6W6SYU2th9x\na5ktJ6SMT9o1LLzhw8EKRKOAYyoTvtSmYwaJs8v+XyywupDDx7iRbXt21UBrdLBg\nsHK4mIbznbK5gb7QnkJ1MEZKs844LCm/ybGhMGByVHqKpxqvp7fhGtMc8t7Mrwu+\nYS9+Xx79elr6PUxCdpvZEwBixs63a8/eI1U/ZAhmJQz54O6ntGCmDBigA6XHgVDW\nMrGJrYi/uBNLbvAlxbpWhGlExdjUhUi9oLdqvqWL1adu0zqXHihqbfJa3jJXi0G0\n/lghlfR7gXQG4d9EJryhGW+EOAPvorRegcIErrlnt0BdsnR4nMCz7vD4240rNfIY\nZCskl8BhLnNIHgcfSMKX3L8whlW531YjEP4TjGWq7w7AKUkzeilPu3yw5y7n/xwU\n8dQTIbAKJ2pelmbYbHQEWqO/WIbsP3cRjT47vqGn972gqgu0eUjHgeQx4VCpkJD8\nkHqid3hWv2H0eUGRPAc5QYXGt7CQm3d8vLQdQcVxo60vBcpAazd3T32fpQIDAQAB\noxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBSaneWpv+F8PNE\n9SOWqtyZdvbqEFQYPBL1Of3F8n2KYMyy51ZkaGmKWL9RC3aC+nweKRfABMxA8sa5\n+5qkDD2DZnMqcI3KxlxhnnXTC8lhi0RxS6Uai/zio0E/OYgXHMhYziUkEaXqDzcZ\nYkaORO6szlmEidQ0NcU4nOZOY7Ca57ZZMvqRhaotp5eIOVkKQqYw4+cOWkrjX5VJ\n3Ma8F5iNO62F3wJF17i7Dv04ZgxvKQeCvhVgs3zoptzIaS66g7tKw6icwUuQhhh+\nj7zxU67O+QbNgJXEjY7rVda0/I9Af75jgPjy95KUCFqwQ6S7FU3eCO9bnpStEcuc\nXIad8Sjlnvplz5J1taNpiK/LJM1rK3Vug/SVxojvbMsUFdX5gxaAylcpB92utCL1\nrAJVfUUC9/tkm96+8Dq/10NS+L8k82G+5rFfreg18bJA3HZU2QN+O5hvWDa7iUEC\nBqKrdgjjVN18hqUOxk6idOKGmvP/tn9cQ6bcd1RKBXfkiHacztT1FebEybxTgfoQ\nD+ZNbQKfaGeOcskVtlUd56vj6NmVNPfBTbtio+5ByC2TnJicWOWnUbBr61hO/6kn\nU5CbSAWkBLJdLBDCZsMgYUTU8C7k/gLl+1w42+XeqXEpMrhwRq9b6MF4hMISKuyr\nA5DHBUaikIkElWFNfnsoD/k4Q5lT0Q==\n-----END CERTIFICATE-----\n"
	fingerprint_request = "6a0bd5277df92c081f69a7199e3bf0d059a1aafae402f7388a4cfd9ce4dd1620"
	status_code = 0.000000
}
[2017-09-06 12:01:39 +0200] warning/JsonRpcConnection: Received certificate update message for CN 'agent'
[2017-09-06 12:01:39 +0200] information/JsonRpcConnection: Updating the client certificate for the ApiListener object
[2017-09-06 12:01:39 +0200] warning/JsonRpcConnection: API client disconnected for identity 'satellite'
[2017-09-06 12:01:39 +0200] warning/JsonRpcConnection: API client disconnected for identity 'satellite'
[2017-09-06 12:01:39 +0200] warning/ApiListener: Removing API client for endpoint 'satellite'. 0 API clients left.
[2017-09-06 12:01:39 +0200] warning/ApiListener: Removing API client for endpoint 'satellite'. 0 API clients left.

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 6, 2017

Three level cluster

Ticket less delayed request

Client wizard

michi@mbmif ~/coding/testing/icinga2 (master *) $ sudo ./icinga2c node wizard
Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.

Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]:
Starting the Node setup routine...
Please specify the common name (CN) [mbmif.int.netways.de]: agent
Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): satellite
Do you want to establish a connection to the master from this node? [Y/n]:
Please fill out the master connection information:
Master endpoint host (Your master's IP address or FQDN): 127.0.0.1
Master endpoint port [5665]: 5666
Add more master endpoints? [y/N]:
information/base: Writing private key to 'var-c/lib/icinga2/certs//agent.key'.
information/base: Writing X509 certificate to 'var-c/lib/icinga2/certs//agent.crt'.
information/cli: Fetching public certificate from master (127.0.0.1, 5666):

Certificate information:

 Subject:     CN = satellite
 Issuer:      CN = Icinga CA
 Valid From:  Sep  5 15:40:31 2017 GMT
 Valid Until: Sep  1 15:40:31 2032 GMT
 Fingerprint: DE C1 45 F5 AB FB D1 44 CD 93 FE 37 2F 49 A4 A6 DF 01 77 44

Is this information correct? [y/N]: y
information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master (optional).
 (Hint: # icinga2 pki ticket --cn 'agent'):

No ticket was specified. Please approve the certificate signing request manually
on the master (see 'icinga2 ca list' and 'icinga2 ca sign --help' for details).

information/cli: Requesting certificate without a ticket.
information/cli: Created backup file 'var-c/lib/icinga2/certs//agent.crt.orig'.
>> {"id":"mbmif.int.netways.de-1504694822-1","jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":""}}
<< {"id":"mbmif.int.netways.de-1504694822-1","jsonrpc":"2.0","result":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","error":"Certificate request is pending. Waiting for approval from the parent Icinga instance.","fingerprint_request":"9cfac8f7b80edea75bcbaa4e5ddda4e2f8678e595701ae40a15dc40c2678fb2c","status_code":2.0}}
information/cli: Writing CA certificate to file 'var-c/lib/icinga2/certs//ca.crt'.
information/cli: !!!!!!
information/cli: !!! Certificate request is pending. Waiting for approval from the parent Icinga instance.
information/cli: !!!!!!
Please specify the API bind host/port (optional):
Bind Host []:
Bind Port []: 5667

Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y
information/cli: Disabling the Notification feature.
warning/cli: Feature 'notification' already disabled.
information/cli: Enabling the ApiListener feature.
warning/cli: Feature 'api' already enabled.
warning/cli: Backup file 'etc-c/icinga2/features-available/api.conf.orig' already exists. Skipping backup.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file 'etc-c/icinga2/zones.conf'.
warning/cli: Backup file 'etc-c/icinga2/zones.conf.orig' already exists. Skipping backup.
warning/cli: CN 'agent' does not match the default FQDN 'mbmif.int.netways.de'. Requires update for NodeName constant in constants.conf!
information/cli: Updating constants.conf.
warning/cli: Backup file 'etc-c/icinga2/constants.conf.orig' already exists. Skipping backup.
information/cli: Updating constants file 'etc-c/icinga2/constants.conf'.
information/cli: Updating constants file 'etc-c/icinga2/constants.conf'.
Done.

Now restart your Icinga 2 daemon to finish the installation!

Satellite forward

[2017-09-06 12:47:02 +0200] information/ApiListener: New client connection for identity 'agent' from [::ffff:127.0.0.1]:55515 (certificate validation failed: code 18: self signed certificate)
<< {"id":"mbmif.int.netways.de-1504694822-1","jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":""}}
>> {"id":"mbmif.int.netways.de-1504694822-1","jsonrpc":"2.0","result":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","error":"Certificate request is pending. Waiting for approval from the parent Icinga instance.","fingerprint_request":"9cfac8f7b80edea75bcbaa4e5ddda4e2f8678e595701ae40a15dc40c2678fb2c","status_code":2.0}}>>
{"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"cert_request":"-----BEGIN CERTIFICATE-----\nMIIEvjCCAqagAwIBAgIUD4D27qzVeJq9a8tyW8c1hR9iU+UwDQYJKoZIhvcNAQEL\nBQAwEDEOMAwGA1UEAwwFYWdlbnQwHhcNMTcwOTA2MTA0NjU0WhcNMzIwOTAyMTA0\nNjU0WjAQMQ4wDAYDVQQDDAVhZ2VudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBANXQV5cHtad978lMFHtQ7p5AQBzrWe65tXup653BN0neMNbS2MzNF107\nuNstU1yKFIAHFUeFtaqoYDbGg6jlzh3HDWsR5fHavUU1jvh6LRyFDrag/TzKgO37\ngD3tTeVZ7wNcV40Q3L4+1nd7f+JoV0JX8zGRoXy5O+J2NolfNPonCqyS3WvwCgN0\nUu7KgRR9UeoSicCooF2+p1BX3FqjEPR736dNP3PF9xQoutlJyemQWTUaRgZVOhNS\n7luwnQ6DKzlufF2E+qYD3V9JwKYqQW74LBmGW4evvUkTtNdNk/e3i0itruscJcW/\nYOAI/ZEIgmioa+1XCI1nxXvCNX3rabcyOIZt6rkbwVhP9MmIeIU+D+Il//pOOcwQ\n3y4o8u0pdEoTdsVNLbhJ0DxRbtraYcmXZcDOM4XkU5ltuZDPazANZySffDFruhFI\njBOOaMtcZFJm9PHQAtGK5BdSkXUkeqHeRPVkZUODINRhvVcsVsRfb3nxMZ9+wb2f\nG+tqije2mpr2fLRE4JWYtbY7n40LgFX5fT579eq81sQSzrWdO50zHEo4mEeGkgLK\nzBsCvxAuSpFzuMLdDitQbKhB3ACLLcYvgG8WJZXAyVM2NvvoYo6tmCWzrF7aG7mv\n5GnMxVLwEeGBY/rXeYTUvrgMA66B/GqgD0rI8pAfs3/71sKeZ4VfAgMBAAGjEDAO\nMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAJWNXII+y12Lk0GMnOAt\nS5fDJfzw2+Q853Cwmp1jgO5b97QQsiDRUDtbR1yS2LZaW6+GvPQxP4JZUwwV4DLe\nfTQ6PaEcrXpf3zbrbm6Qw4ylr5oV7XX11yRw/cHjTUv67dvdrQsogwYHOff9DoHq\nGeHTqTfEdJLhCYkxLZDcXK++bmvIGCl0X5sDQl+obFNR2I1NYk4xJxH6537v51Yw\nVnxIHYdfRD3OvyFzfrjRW9WgEcSa7UXHC4e7PwpTBpFcgiw1BMA9Max02EDknYzD\nK1Ad+LT6X3An3jvwV4C9j/hAqtl1HwM53U3lS9u8kycniPYck0yPyWf48o0zKi6v\nS0V2V/ImW0juGOVdG8lm1lzVrMIo8JS2WCorjDz93bV5aP+fmciuVxeqeI8ifqXS\nmwX5jbs5q7EYFdp5c034lhwZTVK4rb/9ctZEFGfiMSGGDfoZC1fDTaeIgi7qu+0M\nlKuMlLzeUx59CYlokMjc8CXsnYrzZ+YzeOduAAVu6vRxoMncD5UR7ofmXvFks2fy\nOI+91B0AivSwx7ZtmgZJf0FzBp5NLHF8ZLqxdjv4t8yW34frhJM5nG2i00AfArxR\niCqrlb6L1vHL50jksyWXZyAseQk0uuZgD9aLyCbvHfDiQZ/YR3TK4lJbIl8VvbYM\nXuigl9KeacXjLNdCjutC5gj6\n-----END CERTIFICATE-----\n","ticket":""},"ts":1504694822.5409779549}
[2017-09-06 12:47:02 +0200] warning/JsonRpcConnection: API client disconnected for identity 'agent'

Master stores the request but does nothing without ticket.


<< {"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"cert_request":"-----BEGIN CERTIFICATE-----\nMIIEvjCCAqagAwIBAgIUD4D27qzVeJq9a8tyW8c1hR9iU+UwDQYJKoZIhvcNAQEL\nBQAwEDEOMAwGA1UEAwwFYWdlbnQwHhcNMTcwOTA2MTA0NjU0WhcNMzIwOTAyMTA0\nNjU0WjAQMQ4wDAYDVQQDDAVhZ2VudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBANXQV5cHtad978lMFHtQ7p5AQBzrWe65tXup653BN0neMNbS2MzNF107\nuNstU1yKFIAHFUeFtaqoYDbGg6jlzh3HDWsR5fHavUU1jvh6LRyFDrag/TzKgO37\ngD3tTeVZ7wNcV40Q3L4+1nd7f+JoV0JX8zGRoXy5O+J2NolfNPonCqyS3WvwCgN0\nUu7KgRR9UeoSicCooF2+p1BX3FqjEPR736dNP3PF9xQoutlJyemQWTUaRgZVOhNS\n7luwnQ6DKzlufF2E+qYD3V9JwKYqQW74LBmGW4evvUkTtNdNk/e3i0itruscJcW/\nYOAI/ZEIgmioa+1XCI1nxXvCNX3rabcyOIZt6rkbwVhP9MmIeIU+D+Il//pOOcwQ\n3y4o8u0pdEoTdsVNLbhJ0DxRbtraYcmXZcDOM4XkU5ltuZDPazANZySffDFruhFI\njBOOaMtcZFJm9PHQAtGK5BdSkXUkeqHeRPVkZUODINRhvVcsVsRfb3nxMZ9+wb2f\nG+tqije2mpr2fLRE4JWYtbY7n40LgFX5fT579eq81sQSzrWdO50zHEo4mEeGkgLK\nzBsCvxAuSpFzuMLdDitQbKhB3ACLLcYvgG8WJZXAyVM2NvvoYo6tmCWzrF7aG7mv\n5GnMxVLwEeGBY/rXeYTUvrgMA66B/GqgD0rI8pAfs3/71sKeZ4VfAgMBAAGjEDAO\nMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAJWNXII+y12Lk0GMnOAt\nS5fDJfzw2+Q853Cwmp1jgO5b97QQsiDRUDtbR1yS2LZaW6+GvPQxP4JZUwwV4DLe\nfTQ6PaEcrXpf3zbrbm6Qw4ylr5oV7XX11yRw/cHjTUv67dvdrQsogwYHOff9DoHq\nGeHTqTfEdJLhCYkxLZDcXK++bmvIGCl0X5sDQl+obFNR2I1NYk4xJxH6537v51Yw\nVnxIHYdfRD3OvyFzfrjRW9WgEcSa7UXHC4e7PwpTBpFcgiw1BMA9Max02EDknYzD\nK1Ad+LT6X3An3jvwV4C9j/hAqtl1HwM53U3lS9u8kycniPYck0yPyWf48o0zKi6v\nS0V2V/ImW0juGOVdG8lm1lzVrMIo8JS2WCorjDz93bV5aP+fmciuVxeqeI8ifqXS\nmwX5jbs5q7EYFdp5c034lhwZTVK4rb/9ctZEFGfiMSGGDfoZC1fDTaeIgi7qu+0M\nlKuMlLzeUx59CYlokMjc8CXsnYrzZ+YzeOduAAVu6vRxoMncD5UR7ofmXvFks2fy\nOI+91B0AivSwx7ZtmgZJf0FzBp5NLHF8ZLqxdjv4t8yW34frhJM5nG2i00AfArxR\niCqrlb6L1vHL50jksyWXZyAseQk0uuZgD9aLyCbvHfDiQZ/YR3TK4lJbIl8VvbYM\nXuigl9KeacXjLNdCjutC5gj6\n-----END CERTIFICATE-----\n","ticket":""},"ts":1504694822.5409779549}

List and sign the request on the master:

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca list
Fingerprint                                                      | Timestamp           | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375 | 2017/09/06 13:57:59 |        | CN = agent

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca sign 34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375
information/cli: Signed certificate for 'CN = agent'.

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca list
Fingerprint                                                      | Timestamp           | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375 | 2017/09/06 13:57:59 | *      | CN = agent

Client is started and requests a new certificate from its parent node (satellite)

[2017-09-06 14:06:44 +0200] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint 'satellite'.
>> {"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":""}}

Satellite forwards the request

[2017-09-06 14:06:44 +0200] information/ApiListener: New client connection for identity 'agent' from [::ffff:127.0.0.1]:55998 (certificate validation failed: code 18: self signed certificate)
<< {"jsonrpc":"2.0","method":"icinga::Hello","params":{}}
<< {"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":""}}
>> {"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"cert_request":"-----BEGIN CERTIFICATE-----\nMIIEvjCCAqagAwIBAgIUFL/IuxmMkd158FvPkFqUagS22DswDQYJKoZIhvcNAQEL\nBQAwEDEOMAwGA1UEAwwFYWdlbnQwHhcNMTcwOTA2MTE1NzU5WhcNMzIwOTAyMTE1\nNzU5WjAQMQ4wDAYDVQQDDAVhZ2VudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBAKOpjzR+y9QFqMCXL/wnUPAb0v2RQxRAR3d0QKJUZoZTJKYyP6urqpAK\nnXDZrXNIdTNx+eh1rCN/94+SQ9f7Fs2CcPHQFNpuepK/Vny0sWaFD+TTK0BbUZT6\nU6niGr+OzNIfsIqKAMOrSBHHF1Xv/ekH9l+Xheetdw0k8780g0MtVfQs3LSWT8K1\n9f2z5sn3nYY+jwyPP2C4IuMEdXqMldcxgJphBzi5m7LUo7lk3AhaiiU7r8AjmBlp\n6Dw7BKP4uOl1HSWXtrDSqZCi7NmsHGO5dm1YoJBEHnv8EZJ7wn4aO3enU4a999N9\nOQ+bxvuqj4zdgqwjPyR1tyNWYgUue+jX71AdtkQkw6EJqVtMZcgvLl+7L5Rsf4oL\nWNE+/qwnQN67iMaJnB7ALLAQABgJBisUbn8Zam5qHFHDQtdx7aw1LGx1KLUvec75\nnmiGDg9/zbt9/2mj+4l5SxpEwaONl58xKFqkEfL52SNdEJfqZvMYa5AwDS84VLO/\n5VIOviuWmOtEUu3D4l49BVCQUp63aJzHuqArJXemWBPMheA2Wz4h6eiiMKVllY7L\nCQTIs129heU2wAgUzH4vluyK1aK22BjEwl5uoCP0Af6bSJvDz34FFN6TsztzT437\nh/Qdfsicn6dH9lpXcQbwLcxrp23sDWot3VlnD9NdOGXvL5JsHDQ/AgMBAAGjEDAO\nMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAImVwwArCLorSQZPvCMN\n6gxNlGMvFzqAM0nb+VmpuUe26irsslNNReHs3XCTGzko4sYnHVhPi8cmmbUDcJPY\nSGrQnwpE3T9/sJw7fidzacmDydeRIv76WL/BcQ2lxYy3X7pCY/IHFm4I49HaRo5v\n4p9FwJk3i3h71cg+7ckUhSUzVM6/dx25eELHePAldWieIUdBe0qiUU5oMJVYtDF5\nWCAk/2dgJu/PFB5AxuN88NGJwqxFuW7Zs8Vs34eZRnUc7dhi7O1TPEmwDD+poKVf\nS5nwb7l3f0K/G9AeY4HCci01ZOziwlCO5XDxllaVOHP0AHfrecqeuZUNzMuPGQKS\nprKeq74KnJGE68FcZlNh8Ls+2LSHgprSgqpVmDQoBjRxAUUQsxzqqqdUVwhuG0YQ\n6XEpqPoyyT1NwFl4u2iHoW7sIdYOzUd7Frvi4foGJi0haG0V1ckAPH6qsCS4UYyc\nHIrubHzilMZ+PKpKN4CLMmuV3wiEr3VsdUoPAQMPHg1AOaPmaNKKPGtI1qbLwW+A\nWQd4azbSQNTvrnoqPfqvwhWZkCNjvEBPj1Dp+QFd+CafFLYE7K9a4xbV9+eeiwWd\ngmofZ9tVk/6kOD98Nm9qk0Ry3aGrfaUAzTlYvg19D0n3CyHuIPS28LjLsnDPLUpE\n4m5EXvOTjtNpXov4LwGzFWBg\n-----END CERTIFICATE-----\n","ticket":""},"ts":1504699604.9074308872}

Master receives the request, signs and sends back to the satellite

----BEGIN CERTIFICATE-----\nMIIEvjCCAqagAwIBAgIUFL/IuxmMkd158FvPkFqUagS22DswDQYJKoZIhvcNAQEL\nBQAwEDEOMAwGA1UEAwwFYWdlbnQwHhcNMTcwOTA2MTE1NzU5WhcNMzIwOTAyMTE1\nNzU5WjAQMQ4wDAYDVQQDDAVhZ2VudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBAKOpjzR+y9QFqMCXL/wnUPAb0v2RQxRAR3d0QKJUZoZTJKYyP6urqpAK\nnXDZrXNIdTNx+eh1rCN/94+SQ9f7Fs2CcPHQFNpuepK/Vny0sWaFD+TTK0BbUZT6\nU6niGr+OzNIfsIqKAMOrSBHHF1Xv/ekH9l+Xheetdw0k8780g0MtVfQs3LSWT8K1\n9f2z5sn3nYY+jwyPP2C4IuMEdXqMldcxgJphBzi5m7LUo7lk3AhaiiU7r8AjmBlp\n6Dw7BKP4uOl1HSWXtrDSqZCi7NmsHGO5dm1YoJBEHnv8EZJ7wn4aO3enU4a999N9\nOQ+bxvuqj4zdgqwjPyR1tyNWYgUue+jX71AdtkQkw6EJqVtMZcgvLl+7L5Rsf4oL\nWNE+/qwnQN67iMaJnB7ALLAQABgJBisUbn8Zam5qHFHDQtdx7aw1LGx1KLUvec75\nnmiGDg9/zbt9/2mj+4l5SxpEwaONl58xKFqkEfL52SNdEJfqZvMYa5AwDS84VLO/\n5VIOviuWmOtEUu3D4l49BVCQUp63aJzHuqArJXemWBPMheA2Wz4h6eiiMKVllY7L\nCQTIs129heU2wAgUzH4vluyK1aK22BjEwl5uoCP0Af6bSJvDz34FFN6TsztzT437\nh/Qdfsicn6dH9lpXcQbwLcxrp23sDWot3VlnD9NdOGXvL5JsHDQ/AgMBAAGjEDAO\nMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAImVwwArCLorSQZPvCMN\n6gxNlGMvFzqAM0nb+VmpuUe26irsslNNReHs3XCTGzko4sYnHVhPi8cmmbUDcJPY\nSGrQnwpE3T9/sJw7fidzacmDydeRIv76WL/BcQ2lxYy3X7pCY/IHFm4I49HaRo5v\n4p9FwJk3i3h71cg+7ckUhSUzVM6/dx25eELHePAldWieIUdBe0qiUU5oMJVYtDF5\nWCAk/2dgJu/PFB5AxuN88NGJwqxFuW7Zs8Vs34eZRnUc7dhi7O1TPEmwDD+poKVf\nS5nwb7l3f0K/G9AeY4HCci01ZOziwlCO5XDxllaVOHP0AHfrecqeuZUNzMuPGQKS\nprKeq74KnJGE68FcZlNh8Ls+2LSHgprSgqpVmDQoBjRxAUUQsxzqqqdUVwhuG0YQ\n6XEpqPoyyT1NwFl4u2iHoW7sIdYOzUd7Frvi4foGJi0haG0V1ckAPH6qsCS4UYyc\nHIrubHzilMZ+PKpKN4CLMmuV3wiEr3VsdUoPAQMPHg1AOaPmaNKKPGtI1qbLwW+A\nWQd4azbSQNTvrnoqPfqvwhWZkCNjvEBPj1Dp+QFd+CafFLYE7K9a4xbV9+eeiwWd\ngmofZ9tVk/6kOD98Nm9qk0Ry3aGrfaUAzTlYvg19D0n3CyHuIPS28LjLsnDPLUpE\n4m5EXvOTjtNpXov4LwGzFWBg\n-----END CERTIFICATE-----\n","ticket":""},"ts":1504699604.9074308872}
>> {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIEwzCCAqugAwIBAgIVAMivkpZGU7w1kS4FWZWsJxK1q/udMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDYxMTU4NDZaFw0zMjA5\nMDIxMTU4NDZaMBAxDjAMBgNVBAMMBWFnZW50MIICIjANBgkqhkiG9w0BAQEFAAOC\nAg8AMIICCgKCAgEAo6mPNH7L1AWowJcv/CdQ8BvS/ZFDFEBHd3RAolRmhlMkpjI/\nq6uqkAqdcNmtc0h1M3H56HWsI3/3j5JD1/sWzYJw8dAU2m56kr9WfLSxZoUP5NMr\nQFtRlPpTqeIav47M0h+wiooAw6tIEccXVe/96Qf2X5eF5613DSTzvzSDQy1V9Czc\ntJZPwrX1/bPmyfedhj6PDI8/YLgi4wR1eoyV1zGAmmEHOLmbstSjuWTcCFqKJTuv\nwCOYGWnoPDsEo/i46XUdJZe2sNKpkKLs2awcY7l2bVigkEQee/wRknvCfho7d6dT\nhr330305D5vG+6qPjN2CrCM/JHW3I1ZiBS576NfvUB22RCTDoQmpW0xlyC8uX7sv\nlGx/igtY0T7+rCdA3ruIxomcHsAssBAAGAkGKxRufxlqbmocUcNC13HtrDUsbHUo\ntS95zvmeaIYOD3/Nu33/aaP7iXlLGkTBo42XnzEoWqQR8vnZI10Ql+pm8xhrkDAN\nLzhUs7/lUg6+K5aY60RS7cPiXj0FUJBSnrdonMe6oCsld6ZYE8yF4DZbPiHp6KIw\npWWVjssJBMizXb2F5TbACBTMfi+W7IrVorbYGMTCXm6gI/QB/ptIm8PPfgUU3pOz\nO3NPjfuH9B1+yJyfp0f2WldxBvAtzGunbewNai3dWWcP0104Ze8vkmwcND8CAwEA\nAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAhzl8vimWG2hf\nacsZNUeR8aSSlwS24Hhx2QAtkP3Caj8PD9OSkR6TxgUge4sFV/oADjrpR7OUapg5\nRqsqvcRmnIBGsmvROA733MLO2zoPQ9UQlGSRD55Kpkfld0Wf0zqwOatlpKjZJb95\nKxDz8ahsUrrFka5nrNn7Zx00r0BpmuJOMjwb3h6+lOiQovWdFhkJYzqXo/Y7BFzO\nvv9E2r5QsGcmSNsD4hB9OrcAQg2aNwHPA+FP2gtpp8xKE5J0hMipHmdyqsOJVc5f\n1zolS9E2FwLRnV59AlT4zW1m5ucXrt3skpW+7pe7tdGhtQKHXDFbODaJq0kJkFmu\nfF39L1z6rUicigt+JO+/9XdanOQ2HYXAMe9lxE4j8FTmgXBnOT9ByVM5Z3BGnY1e\n9r7cQbVwKAs0znhHz9CPq289fve/urUrO5QVlGJVokXQQj9US3zUaQ1LwBSSTvIJ\nz8dCcZPlSeinD48QBNych6+XSkaA/plxD18C78jwQyZXZdFkN3jJnHl2M8x7bcVe\n+enEeofFEgJVCKKdTKqHvGQaz3R+J4OlrNNUQRu1UJS/t1v5NRqvytw9xaMsdybj\n8Uf8uAHoHpsM02Ta7q0UuhvGw6QBXHkYSN5Q8PyRBkEl9ZmDBOo55Cw9XHS01xIW\nC5ERWNHPDelGUCgdMtca+kigE7OuF74=\n-----END CERTIFICATE-----\n","fingerprint_request":"34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375","status_code":0.0}}

Satellite stores the message

<< {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIEwzCCAqugAwIBAgIVAMivkpZGU7w1kS4FWZWsJxK1q/udMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDYxMTU4NDZaFw0zMjA5\nMDIxMTU4NDZaMBAxDjAMBgNVBAMMBWFnZW50MIICIjANBgkqhkiG9w0BAQEFAAOC\nAg8AMIICCgKCAgEAo6mPNH7L1AWowJcv/CdQ8BvS/ZFDFEBHd3RAolRmhlMkpjI/\nq6uqkAqdcNmtc0h1M3H56HWsI3/3j5JD1/sWzYJw8dAU2m56kr9WfLSxZoUP5NMr\nQFtRlPpTqeIav47M0h+wiooAw6tIEccXVe/96Qf2X5eF5613DSTzvzSDQy1V9Czc\ntJZPwrX1/bPmyfedhj6PDI8/YLgi4wR1eoyV1zGAmmEHOLmbstSjuWTcCFqKJTuv\nwCOYGWnoPDsEo/i46XUdJZe2sNKpkKLs2awcY7l2bVigkEQee/wRknvCfho7d6dT\nhr330305D5vG+6qPjN2CrCM/JHW3I1ZiBS576NfvUB22RCTDoQmpW0xlyC8uX7sv\nlGx/igtY0T7+rCdA3ruIxomcHsAssBAAGAkGKxRufxlqbmocUcNC13HtrDUsbHUo\ntS95zvmeaIYOD3/Nu33/aaP7iXlLGkTBo42XnzEoWqQR8vnZI10Ql+pm8xhrkDAN\nLzhUs7/lUg6+K5aY60RS7cPiXj0FUJBSnrdonMe6oCsld6ZYE8yF4DZbPiHp6KIw\npWWVjssJBMizXb2F5TbACBTMfi+W7IrVorbYGMTCXm6gI/QB/ptIm8PPfgUU3pOz\nO3NPjfuH9B1+yJyfp0f2WldxBvAtzGunbewNai3dWWcP0104Ze8vkmwcND8CAwEA\nAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAhzl8vimWG2hf\nacsZNUeR8aSSlwS24Hhx2QAtkP3Caj8PD9OSkR6TxgUge4sFV/oADjrpR7OUapg5\nRqsqvcRmnIBGsmvROA733MLO2zoPQ9UQlGSRD55Kpkfld0Wf0zqwOatlpKjZJb95\nKxDz8ahsUrrFka5nrNn7Zx00r0BpmuJOMjwb3h6+lOiQovWdFhkJYzqXo/Y7BFzO\nvv9E2r5QsGcmSNsD4hB9OrcAQg2aNwHPA+FP2gtpp8xKE5J0hMipHmdyqsOJVc5f\n1zolS9E2FwLRnV59AlT4zW1m5ucXrt3skpW+7pe7tdGhtQKHXDFbODaJq0kJkFmu\nfF39L1z6rUicigt+JO+/9XdanOQ2HYXAMe9lxE4j8FTmgXBnOT9ByVM5Z3BGnY1e\n9r7cQbVwKAs0znhHz9CPq289fve/urUrO5QVlGJVokXQQj9US3zUaQ1LwBSSTvIJ\nz8dCcZPlSeinD48QBNych6+XSkaA/plxD18C78jwQyZXZdFkN3jJnHl2M8x7bcVe\n+enEeofFEgJVCKKdTKqHvGQaz3R+J4OlrNNUQRu1UJS/t1v5NRqvytw9xaMsdybj\n8Uf8uAHoHpsM02Ta7q0UuhvGw6QBXHkYSN5Q8PyRBkEl9ZmDBOo55Cw9XHS01xIW\nC5ERWNHPDelGUCgdMtca+kigE7OuF74=\n-----END CERTIFICATE-----\n","fingerprint_request":"34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375","status_code":0.0}}
[2017-09-06 14:06:45 +0200] warning/JsonRpcConnection: {
	ca = "-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n"
	cert = "-----BEGIN CERTIFICATE-----\nMIIEwzCCAqugAwIBAgIVAMivkpZGU7w1kS4FWZWsJxK1q/udMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDYxMTU4NDZaFw0zMjA5\nMDIxMTU4NDZaMBAxDjAMBgNVBAMMBWFnZW50MIICIjANBgkqhkiG9w0BAQEFAAOC\nAg8AMIICCgKCAgEAo6mPNH7L1AWowJcv/CdQ8BvS/ZFDFEBHd3RAolRmhlMkpjI/\nq6uqkAqdcNmtc0h1M3H56HWsI3/3j5JD1/sWzYJw8dAU2m56kr9WfLSxZoUP5NMr\nQFtRlPpTqeIav47M0h+wiooAw6tIEccXVe/96Qf2X5eF5613DSTzvzSDQy1V9Czc\ntJZPwrX1/bPmyfedhj6PDI8/YLgi4wR1eoyV1zGAmmEHOLmbstSjuWTcCFqKJTuv\nwCOYGWnoPDsEo/i46XUdJZe2sNKpkKLs2awcY7l2bVigkEQee/wRknvCfho7d6dT\nhr330305D5vG+6qPjN2CrCM/JHW3I1ZiBS576NfvUB22RCTDoQmpW0xlyC8uX7sv\nlGx/igtY0T7+rCdA3ruIxomcHsAssBAAGAkGKxRufxlqbmocUcNC13HtrDUsbHUo\ntS95zvmeaIYOD3/Nu33/aaP7iXlLGkTBo42XnzEoWqQR8vnZI10Ql+pm8xhrkDAN\nLzhUs7/lUg6+K5aY60RS7cPiXj0FUJBSnrdonMe6oCsld6ZYE8yF4DZbPiHp6KIw\npWWVjssJBMizXb2F5TbACBTMfi+W7IrVorbYGMTCXm6gI/QB/ptIm8PPfgUU3pOz\nO3NPjfuH9B1+yJyfp0f2WldxBvAtzGunbewNai3dWWcP0104Ze8vkmwcND8CAwEA\nAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAhzl8vimWG2hf\nacsZNUeR8aSSlwS24Hhx2QAtkP3Caj8PD9OSkR6TxgUge4sFV/oADjrpR7OUapg5\nRqsqvcRmnIBGsmvROA733MLO2zoPQ9UQlGSRD55Kpkfld0Wf0zqwOatlpKjZJb95\nKxDz8ahsUrrFka5nrNn7Zx00r0BpmuJOMjwb3h6+lOiQovWdFhkJYzqXo/Y7BFzO\nvv9E2r5QsGcmSNsD4hB9OrcAQg2aNwHPA+FP2gtpp8xKE5J0hMipHmdyqsOJVc5f\n1zolS9E2FwLRnV59AlT4zW1m5ucXrt3skpW+7pe7tdGhtQKHXDFbODaJq0kJkFmu\nfF39L1z6rUicigt+JO+/9XdanOQ2HYXAMe9lxE4j8FTmgXBnOT9ByVM5Z3BGnY1e\n9r7cQbVwKAs0znhHz9CPq289fve/urUrO5QVlGJVokXQQj9US3zUaQ1LwBSSTvIJ\nz8dCcZPlSeinD48QBNych6+XSkaA/plxD18C78jwQyZXZdFkN3jJnHl2M8x7bcVe\n+enEeofFEgJVCKKdTKqHvGQaz3R+J4OlrNNUQRu1UJS/t1v5NRqvytw9xaMsdybj\n8Uf8uAHoHpsM02Ta7q0UuhvGw6QBXHkYSN5Q8PyRBkEl9ZmDBOo55Cw9XHS01xIW\nC5ERWNHPDelGUCgdMtca+kigE7OuF74=\n-----END CERTIFICATE-----\n"
	fingerprint_request = "34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375"
	status_code = 0.000000
}
[2017-09-06 14:06:45 +0200] warning/JsonRpcConnection: Received certificate update message for CN 'agent'
var-b/lib/icinga2/certificate-requests//34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375.json
[2017-09-06 14:06:45 +0200] warning/JsonRpcConnection: Saved certificate update for CN 'agent'

Satellite sees that the client requests certificate on reconnect:

[2017-09-06 14:08:44 +0200] information/ApiListener: New client connection for identity 'agent' from [::ffff:127.0.0.1]:56017 (certificate validation failed: code 18: self signed certificate)
<< {"jsonrpc":"2.0","method":"icinga::Hello","params":{}}
<< {"jsonrpc":"2.0","method":"pki::RequestCertificate","params":{"ticket":""}}

Satellite sends the updated certificate to the client

>> {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIEwzCCAqugAwIBAgIVAMivkpZGU7w1kS4FWZWsJxK1q/udMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDYxMTU4NDZaFw0zMjA5\nMDIxMTU4NDZaMBAxDjAMBgNVBAMMBWFnZW50MIICIjANBgkqhkiG9w0BAQEFAAOC\nAg8AMIICCgKCAgEAo6mPNH7L1AWowJcv/CdQ8BvS/ZFDFEBHd3RAolRmhlMkpjI/\nq6uqkAqdcNmtc0h1M3H56HWsI3/3j5JD1/sWzYJw8dAU2m56kr9WfLSxZoUP5NMr\nQFtRlPpTqeIav47M0h+wiooAw6tIEccXVe/96Qf2X5eF5613DSTzvzSDQy1V9Czc\ntJZPwrX1/bPmyfedhj6PDI8/YLgi4wR1eoyV1zGAmmEHOLmbstSjuWTcCFqKJTuv\nwCOYGWnoPDsEo/i46XUdJZe2sNKpkKLs2awcY7l2bVigkEQee/wRknvCfho7d6dT\nhr330305D5vG+6qPjN2CrCM/JHW3I1ZiBS576NfvUB22RCTDoQmpW0xlyC8uX7sv\nlGx/igtY0T7+rCdA3ruIxomcHsAssBAAGAkGKxRufxlqbmocUcNC13HtrDUsbHUo\ntS95zvmeaIYOD3/Nu33/aaP7iXlLGkTBo42XnzEoWqQR8vnZI10Ql+pm8xhrkDAN\nLzhUs7/lUg6+K5aY60RS7cPiXj0FUJBSnrdonMe6oCsld6ZYE8yF4DZbPiHp6KIw\npWWVjssJBMizXb2F5TbACBTMfi+W7IrVorbYGMTCXm6gI/QB/ptIm8PPfgUU3pOz\nO3NPjfuH9B1+yJyfp0f2WldxBvAtzGunbewNai3dWWcP0104Ze8vkmwcND8CAwEA\nAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAhzl8vimWG2hf\nacsZNUeR8aSSlwS24Hhx2QAtkP3Caj8PD9OSkR6TxgUge4sFV/oADjrpR7OUapg5\nRqsqvcRmnIBGsmvROA733MLO2zoPQ9UQlGSRD55Kpkfld0Wf0zqwOatlpKjZJb95\nKxDz8ahsUrrFka5nrNn7Zx00r0BpmuJOMjwb3h6+lOiQovWdFhkJYzqXo/Y7BFzO\nvv9E2r5QsGcmSNsD4hB9OrcAQg2aNwHPA+FP2gtpp8xKE5J0hMipHmdyqsOJVc5f\n1zolS9E2FwLRnV59AlT4zW1m5ucXrt3skpW+7pe7tdGhtQKHXDFbODaJq0kJkFmu\nfF39L1z6rUicigt+JO+/9XdanOQ2HYXAMe9lxE4j8FTmgXBnOT9ByVM5Z3BGnY1e\n9r7cQbVwKAs0znhHz9CPq289fve/urUrO5QVlGJVokXQQj9US3zUaQ1LwBSSTvIJ\nz8dCcZPlSeinD48QBNych6+XSkaA/plxD18C78jwQyZXZdFkN3jJnHl2M8x7bcVe\n+enEeofFEgJVCKKdTKqHvGQaz3R+J4OlrNNUQRu1UJS/t1v5NRqvytw9xaMsdybj\n8Uf8uAHoHpsM02Ta7q0UuhvGw6QBXHkYSN5Q8PyRBkEl9ZmDBOo55Cw9XHS01xIW\nC5ERWNHPDelGUCgdMtca+kigE7OuF74=\n-----END CERTIFICATE-----\n","fingerprint_request":"34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375","status_code":0.0}}

Client receives the updated certificate, stores it, updates the SSL certificates at runtime and reconnects all endpoints.

<< {"jsonrpc":"2.0","method":"pki::UpdateCertificate","params":{"ca":"-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n","cert":"-----BEGIN CERTIFICATE-----\nMIIEwzCCAqugAwIBAgIVAMivkpZGU7w1kS4FWZWsJxK1q/udMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDYxMTU4NDZaFw0zMjA5\nMDIxMTU4NDZaMBAxDjAMBgNVBAMMBWFnZW50MIICIjANBgkqhkiG9w0BAQEFAAOC\nAg8AMIICCgKCAgEAo6mPNH7L1AWowJcv/CdQ8BvS/ZFDFEBHd3RAolRmhlMkpjI/\nq6uqkAqdcNmtc0h1M3H56HWsI3/3j5JD1/sWzYJw8dAU2m56kr9WfLSxZoUP5NMr\nQFtRlPpTqeIav47M0h+wiooAw6tIEccXVe/96Qf2X5eF5613DSTzvzSDQy1V9Czc\ntJZPwrX1/bPmyfedhj6PDI8/YLgi4wR1eoyV1zGAmmEHOLmbstSjuWTcCFqKJTuv\nwCOYGWnoPDsEo/i46XUdJZe2sNKpkKLs2awcY7l2bVigkEQee/wRknvCfho7d6dT\nhr330305D5vG+6qPjN2CrCM/JHW3I1ZiBS576NfvUB22RCTDoQmpW0xlyC8uX7sv\nlGx/igtY0T7+rCdA3ruIxomcHsAssBAAGAkGKxRufxlqbmocUcNC13HtrDUsbHUo\ntS95zvmeaIYOD3/Nu33/aaP7iXlLGkTBo42XnzEoWqQR8vnZI10Ql+pm8xhrkDAN\nLzhUs7/lUg6+K5aY60RS7cPiXj0FUJBSnrdonMe6oCsld6ZYE8yF4DZbPiHp6KIw\npWWVjssJBMizXb2F5TbACBTMfi+W7IrVorbYGMTCXm6gI/QB/ptIm8PPfgUU3pOz\nO3NPjfuH9B1+yJyfp0f2WldxBvAtzGunbewNai3dWWcP0104Ze8vkmwcND8CAwEA\nAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAhzl8vimWG2hf\nacsZNUeR8aSSlwS24Hhx2QAtkP3Caj8PD9OSkR6TxgUge4sFV/oADjrpR7OUapg5\nRqsqvcRmnIBGsmvROA733MLO2zoPQ9UQlGSRD55Kpkfld0Wf0zqwOatlpKjZJb95\nKxDz8ahsUrrFka5nrNn7Zx00r0BpmuJOMjwb3h6+lOiQovWdFhkJYzqXo/Y7BFzO\nvv9E2r5QsGcmSNsD4hB9OrcAQg2aNwHPA+FP2gtpp8xKE5J0hMipHmdyqsOJVc5f\n1zolS9E2FwLRnV59AlT4zW1m5ucXrt3skpW+7pe7tdGhtQKHXDFbODaJq0kJkFmu\nfF39L1z6rUicigt+JO+/9XdanOQ2HYXAMe9lxE4j8FTmgXBnOT9ByVM5Z3BGnY1e\n9r7cQbVwKAs0znhHz9CPq289fve/urUrO5QVlGJVokXQQj9US3zUaQ1LwBSSTvIJ\nz8dCcZPlSeinD48QBNych6+XSkaA/plxD18C78jwQyZXZdFkN3jJnHl2M8x7bcVe\n+enEeofFEgJVCKKdTKqHvGQaz3R+J4OlrNNUQRu1UJS/t1v5NRqvytw9xaMsdybj\n8Uf8uAHoHpsM02Ta7q0UuhvGw6QBXHkYSN5Q8PyRBkEl9ZmDBOo55Cw9XHS01xIW\nC5ERWNHPDelGUCgdMtca+kigE7OuF74=\n-----END CERTIFICATE-----\n","fingerprint_request":"34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375","status_code":0.0}}
[2017-09-06 14:08:44 +0200] warning/JsonRpcConnection: {
	ca = "-----BEGIN CERTIFICATE-----\nMIIEyTCCArGgAwIBAgIUbw7jt3sXg1D3zyXtV+5vHvcyEXswDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE3MDkwNTEyNDEwNVoXDTMyMDkw\nMTEyNDEwNVowFDESMBAGA1UEAwwJSWNpbmdhIENBMIICIjANBgkqhkiG9w0BAQEF\nAAOCAg8AMIICCgKCAgEA8zKzwSQmBjLUe7mIpbwgwd/ATnvr1QhC+qW+e0KHUQkJ\nnbxH5+M9v6qYCy0WigWMCR0SrUKVgsk20v5omk9fbVHoZPawzpuOZMXzThtqPURL\nfAY/bVPvv8q8/D0zKThJj9ukKbO+g8iCA4xYC0LMv9or2GdYNZW+JHARtlUtY3wO\nMey8RNJzg5TnRLZtKOyi58tQvA1qJUSPbXFnMRqDRK9lo06zGAON+DhzBZMhh388\nkC5mOpe+2UfUJg3OKm34yUNtJOiPq1VNzL1NDUmH3JwctotGKfnFrfxbkw9KassV\nRf5+5WpidT83elVU5/BhXKdZOFQrKG/xD5JhrXBT5q79M/SXIlr1r0oFjMcBZBug\n8p8MKuJ3PK4qcjTUZaruyx7iw8Tw6XoBReCyAMpzwfzKt7wN/Emma64IIxPmWAv3\niiwC8Q5tiTJYpiTKL38KjWsDQl9A9LwICIhPQr8hIP5m/yXsMg28DyCP7qOTE24F\nYQ4R2JliahB9ovqnlN4sbBmOn8gta0utjnIFTw/LKqEcjQXGT0S/lCydHS8ocZTB\nJJsZe4OmAH54Z6aJOLUOP7YkfX9UFBvs4XwolwMW/n01H/KWV+bnBD8QwtmSMGCw\nysoel/bmUFrhy0287m+p4GBB3ypV4zVtURguUEHtjofBw3TVyVX4xugpC1DY7u0C\nAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAJSRb\nPrcQvnZze7LzJUiSYJerlu/2WM5HDwWLfHzd8kzHaM7plSoZtV/lrTKv/nglgXLE\n3r2oSqaUl5mCBJ5QGVYP6O+WMtgJf6Zr2yiul4nOqthmBA/CtrO5ixp8gCaP5eDP\n9oC+mpna1yr2h0lM7X3LsLbLN9OlnJ58bKdbsbxhxlGfll20qEL7dt3A4x/nUe2r\nTY5eEkunKSgj0R00SDzL15Va0Z/xzYC0J6QVb7kbL2c5C/VlbWX12SLNIDEVwGOf\nZA9GVJ2F5LYJIZhIuFwnw0tVBZaOEdKbWqJUn5RZLXZApYANHrVSg4wzL6B3qgoV\nQeywMGhZD1B9eaPsJ6rDmCZOZ+/XI1OTjDv6eYMHrWCoDhNUfQ7QL9CATVsfl+g7\nrcW1uJKAiv8xIJJQ5Kzq0SE2ekk59KMyDIi+tbqonNsZQ7m0mRtMvMNkWm5xcHpf\n2k+QcV3fYtP85mMAV3bJGkUa9Y18qZAkVbfyqp+dQmb23f52Clvu106+gn8tJ6p2\ngmxoB4G44fU/BKj3IkS5sMMzjyXYAgcQJGVGs4+6+3z6G2QKZBU5cM7Fa1y1x0IC\nKq/gO3BKj6QblV2oZooJRzS42IMiK4/cAkRNwYl5sngwvi3uRD1HQ4pG+XtkhJeq\nyE1JhKNizjjGnB8zJGVHnoA1c82EOIFxreHV1ZE=\n-----END CERTIFICATE-----\n"
	cert = "-----BEGIN CERTIFICATE-----\nMIIEwzCCAqugAwIBAgIVAMivkpZGU7w1kS4FWZWsJxK1q/udMA0GCSqGSIb3DQEB\nCwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xNzA5MDYxMTU4NDZaFw0zMjA5\nMDIxMTU4NDZaMBAxDjAMBgNVBAMMBWFnZW50MIICIjANBgkqhkiG9w0BAQEFAAOC\nAg8AMIICCgKCAgEAo6mPNH7L1AWowJcv/CdQ8BvS/ZFDFEBHd3RAolRmhlMkpjI/\nq6uqkAqdcNmtc0h1M3H56HWsI3/3j5JD1/sWzYJw8dAU2m56kr9WfLSxZoUP5NMr\nQFtRlPpTqeIav47M0h+wiooAw6tIEccXVe/96Qf2X5eF5613DSTzvzSDQy1V9Czc\ntJZPwrX1/bPmyfedhj6PDI8/YLgi4wR1eoyV1zGAmmEHOLmbstSjuWTcCFqKJTuv\nwCOYGWnoPDsEo/i46XUdJZe2sNKpkKLs2awcY7l2bVigkEQee/wRknvCfho7d6dT\nhr330305D5vG+6qPjN2CrCM/JHW3I1ZiBS576NfvUB22RCTDoQmpW0xlyC8uX7sv\nlGx/igtY0T7+rCdA3ruIxomcHsAssBAAGAkGKxRufxlqbmocUcNC13HtrDUsbHUo\ntS95zvmeaIYOD3/Nu33/aaP7iXlLGkTBo42XnzEoWqQR8vnZI10Ql+pm8xhrkDAN\nLzhUs7/lUg6+K5aY60RS7cPiXj0FUJBSnrdonMe6oCsld6ZYE8yF4DZbPiHp6KIw\npWWVjssJBMizXb2F5TbACBTMfi+W7IrVorbYGMTCXm6gI/QB/ptIm8PPfgUU3pOz\nO3NPjfuH9B1+yJyfp0f2WldxBvAtzGunbewNai3dWWcP0104Ze8vkmwcND8CAwEA\nAaMQMA4wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAhzl8vimWG2hf\nacsZNUeR8aSSlwS24Hhx2QAtkP3Caj8PD9OSkR6TxgUge4sFV/oADjrpR7OUapg5\nRqsqvcRmnIBGsmvROA733MLO2zoPQ9UQlGSRD55Kpkfld0Wf0zqwOatlpKjZJb95\nKxDz8ahsUrrFka5nrNn7Zx00r0BpmuJOMjwb3h6+lOiQovWdFhkJYzqXo/Y7BFzO\nvv9E2r5QsGcmSNsD4hB9OrcAQg2aNwHPA+FP2gtpp8xKE5J0hMipHmdyqsOJVc5f\n1zolS9E2FwLRnV59AlT4zW1m5ucXrt3skpW+7pe7tdGhtQKHXDFbODaJq0kJkFmu\nfF39L1z6rUicigt+JO+/9XdanOQ2HYXAMe9lxE4j8FTmgXBnOT9ByVM5Z3BGnY1e\n9r7cQbVwKAs0znhHz9CPq289fve/urUrO5QVlGJVokXQQj9US3zUaQ1LwBSSTvIJ\nz8dCcZPlSeinD48QBNych6+XSkaA/plxD18C78jwQyZXZdFkN3jJnHl2M8x7bcVe\n+enEeofFEgJVCKKdTKqHvGQaz3R+J4OlrNNUQRu1UJS/t1v5NRqvytw9xaMsdybj\n8Uf8uAHoHpsM02Ta7q0UuhvGw6QBXHkYSN5Q8PyRBkEl9ZmDBOo55Cw9XHS01xIW\nC5ERWNHPDelGUCgdMtca+kigE7OuF74=\n-----END CERTIFICATE-----\n"
	fingerprint_request = "34a874e174fbba03810c898419a15ffd4cc6defe72191cb4803e676f8e0e7375"
	status_code = 0.000000
}
[2017-09-06 14:08:44 +0200] information/JsonRpcConnection: Received certificate update message for CN 'agent'
[2017-09-06 14:08:44 +0200] information/JsonRpcConnection: Updating the client certificate for the ApiListener object
[2017-09-06 14:08:44 +0200] warning/JsonRpcConnection: API client disconnected for identity 'satellite'
[2017-09-06 14:08:44 +0200] warning/JsonRpcConnection: API client disconnected for identity 'satellite'
[2017-09-06 14:08:44 +0200] warning/ApiListener: Removing API client for endpoint 'satellite'. 0 API clients left.
[2017-09-06 14:08:44 +0200] warning/ApiListener: Removing API client for endpoint 'satellite'. 0 API clients left.

The next time the connection is re-established, it is a trusted signed relationship.

[2017-09-06 14:09:44 +0200] information/ApiListener: Reconnecting to endpoint 'satellite' via host '127.0.0.1' and port '5666'
[2017-09-06 14:09:44 +0200] information/ApiListener: New client connection for identity 'satellite' to [127.0.0.1]:5666
>> {"jsonrpc":"2.0","method":"icinga::Hello","params":{}}
[2017-09-06 14:09:44 +0200] information/ApiListener: Finished reconnecting to endpoint 'satellite' via host '127.0.0.1' and port '5666'

On the satellite (we don't have an Endpoint object yet, but seeing this message means that the SSL handshake was successful).

[2017-09-06 14:09:44 +0200] information/ApiListener: New client connection for identity 'agent' from [::ffff:127.0.0.1]:56019 (no Endpoint object found for identity)

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 6, 2017

Certificate renewal

If the client certificate will be expired in 30 days, the client will automatically request a new certificate based on the current signed trusted relationship.

This is also true for certificates generated before 1.1.2017 to allow certificate updates with possible broken serials in #5511

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 6, 2017

Clients without connection to the parent node

You may run the node wizard command, but select to not connect to the master (or parent node).

The wizard will tell you where to put the public CA certificate in order to start Icinga 2. You need to copy that manually from the master to let the parent node connect and do the certificate request thing.

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 6, 2017

More logging

Client

[2017-09-06 16:44:21 +0200] information/JsonRpcConnection: Received certificate update message for CN 'agent'
[2017-09-06 16:44:21 +0200] information/JsonRpcConnection: Updating CA certificate in 'var-c/lib/icinga2/certs/ca.crt'.
[2017-09-06 16:44:21 +0200] information/JsonRpcConnection: Updating client certificate for CN 'agent' in 'var-c/lib/icinga2/certs/agent.crt'.
[2017-09-06 16:44:21 +0200] information/JsonRpcConnection: Updating the client certificate at runtime and reconnecting the endpoints.

Satellite

[2017-09-06 16:45:21 +0200] information/JsonRpcConnection: Received certificate request from identity 'agent' signed by our CA.
[2017-09-06 16:45:21 +0200] information/JsonRpcConnection: The certificate for identity 'agent' cannot be renewed yet.

Master and Satellite

[2017-09-06 17:02:43 +0200] information/JsonRpcConnection: Received certificate request for CN 'agent' not signed by our CA.
[2017-09-06 17:04:11 +0200] information/JsonRpcConnection: Certificate request is pending. Waiting for approval.

Signed certificate update

w==\n-----END CERTIFICATE-----\n","ticket":""},"ts":1504710371.3720669746}
[2017-09-06 17:06:11 +0200] information/JsonRpcConnection: Received certificate request for CN 'agent' not signed by our CA.
[2017-09-06 17:06:11 +0200] information/JsonRpcConnection: Sending certificate response for CN 'agent' to endpoint 'satellite'.
[2017-09-06 17:06:11 +0200] information/JsonRpcConnection: Received certificate update message for CN 'agent'

[2017-09-06 17:06:11 +0200] information/JsonRpcConnection: Saved certificate update for CN 'agent'
[2017-09-06 17:08:11 +0200] information/JsonRpcConnection: Received certificate update message for CN 'agent'
[2017-09-06 17:08:11 +0200] information/JsonRpcConnection: Updating CA certificate in 'var-c/lib/icinga2/certs/ca.crt'.
[2017-09-06 17:08:11 +0200] information/JsonRpcConnection: Updating client certificate for CN 'agent' in 'var-c/lib/icinga2/certs/agent.crt'.
[2017-09-06 17:08:11 +0200] information/JsonRpcConnection: Updating the client certificate at runtime and reconnecting the endpoints.
[2017-09-06 17:08:11 +0200] warning/JsonRpcConnection: API client disconnected for identity 'satellite'
[2017-09-06 17:08:11 +0200] warning/JsonRpcConnection: API client disconnected for identity 'satellite'
[2017-09-06 17:08:11 +0200] warning/ApiListener: Removing API client for endpoint 'satellite'. 0 API clients left.
[2017-09-06 17:08:11 +0200] warning/ApiListener: Removing API client for endpoint 'satellite'. 0 API clients left.

dnsmichi pushed a commit that referenced this issue Sep 6, 2017
Examples:
#5450 (comment)

This also adds code comments where applicable.
@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 6, 2017

CLI Commands

Refactoring the CLI commands a bit, first part.

icinga2_caproxy_node_wizard_refactor_01

icinga2_caproxy_node_wizard_refactor_02

@gunnarbeutner
Copy link
Contributor

TODO list:

screen shot 2017-09-07 at 11 12 59

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 7, 2017

Client has no connection

icinga2_caproxy_node_wizard_no_connection

gunnarbeutner pushed a commit that referenced this issue Sep 7, 2017
Examples:
#5450 (comment)

This also adds code comments where applicable.
@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 7, 2017

Multi-Master setup

Master 2 Setup

master2 as satellite

icinga2_caproxy_secondary_master_ticketless

master1

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca list
Fingerprint                                                      | Timestamp           | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
f0f24f3d50ff1ef01f6554de8f811f12421a9fda89ee48513befab35c74e3bee | 2017/09/07 15:40:14 |        | CN = master2
michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca sign f0f24f3d50ff1ef01f6554de8f811f12421a9fda89ee48513befab35c74e3bee
information/cli: Signed certificate for 'CN = master2'.
michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca list
Fingerprint                                                      | Timestamp           | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
f0f24f3d50ff1ef01f6554de8f811f12421a9fda89ee48513befab35c74e3bee | 2017/09/07 15:40:14 | *      | CN = master2

master2

[2017-09-07 15:41:31 +0200] information/JsonRpcConnection: Received certificate update message for CN 'master2'
[2017-09-07 15:41:31 +0200] information/JsonRpcConnection: Updating CA certificate in 'var-b/lib/icinga2/certs/ca.crt'.
[2017-09-07 15:41:31 +0200] information/JsonRpcConnection: Updating client certificate for CN 'master2' in 'var-b/lib/icinga2/certs/master2.crt'.
[2017-09-07 15:41:31 +0200] information/JsonRpcConnection: Updating the client certificate for CN 'master2'at runtime and reconnecting the endpoints.

Agent setup through Master 2

Agent
icinga2_caproxy_secondary_master_agent_ticketless

[2017-09-07 15:45:08 +0200] information/ApiListener: Requesting new certificate for this Icinga instance from endpoint 'master2'.

Master 2

[2017-09-07 15:47:08 +0200] information/ApiListener: New client connection for identity 'agent' from [::ffff:127.0.0.1]:61717 (certificate validation failed: code 18: self signed certificate)
[2017-09-07 15:47:08 +0200] information/JsonRpcConnection: Received certificate request for CN 'agent' not signed by our CA.
[2017-09-07 15:47:08 +0200] information/JsonRpcConnection: Certificate request for CN 'agent' is pending. Waiting for approval.

Master 1

[2017-09-07 15:47:08 +0200] information/JsonRpcConnection: Received certificate request for CN 'agent' not signed by our CA.
[2017-09-07 15:47:08 +0200] information/JsonRpcConnection: Certificate request for CN 'agent' is pending. Waiting for approval.

Sign it on master 1

michi@mbmif ~/coding/testing/icinga2 (master *) $ ./icinga2a ca sign f31f72fbd014a63ede9cd8253c7fe637e9ae93e58d9a378d64cf9df22f2bb827
information/cli: Signed certificate for 'CN = agent'.
[2017-09-07 15:48:31 +0200] information/JsonRpcConnection: Received certificate request for CN 'agent' not signed by our CA.
[2017-09-07 15:48:31 +0200] information/JsonRpcConnection: Sending certificate response for CN 'agent' to endpoint 'master2'.

Master 2

[2017-09-07 15:48:31 +0200] information/JsonRpcConnection: Received certificate update message for CN 'agent'
[2017-09-07 15:48:31 +0200] information/JsonRpcConnection: Saved certificate update for CN 'agent'
[2017-09-07 15:49:08 +0200] information/ApiListener: New client connection for identity 'agent' from [::ffff:127.0.0.1]:61721 (certificate validation failed: code 18: self signed certificate)
[2017-09-07 15:49:08 +0200] information/JsonRpcConnection: Received certificate request for CN 'agent' not signed by our CA.
[2017-09-07 15:49:08 +0200] information/JsonRpcConnection: Sending certificate response for CN 'agent' to endpoint 'agent'.

Agent

[2017-09-07 15:49:08 +0200] information/JsonRpcConnection: Received certificate update message for CN 'agent'
[2017-09-07 15:49:08 +0200] information/JsonRpcConnection: Updating CA certificate in 'var-c/lib/icinga2/certs/ca.crt'.
[2017-09-07 15:49:08 +0200] information/JsonRpcConnection: Updating client certificate for CN 'agent' in 'var-c/lib/icinga2/certs/agent.crt'.
[2017-09-07 15:49:08 +0200] information/JsonRpcConnection: Updating the client certificate for CN 'agent'at runtime and reconnecting the endpoints.
[2017-09-07 15:49:08 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master2'
[2017-09-07 15:49:08 +0200] warning/JsonRpcConnection: API client disconnected for identity 'master2'
[2017-09-07 15:49:08 +0200] warning/ApiListener: Removing API client for endpoint 'master2'. 0 API clients left.
[2017-09-07 15:49:08 +0200] warning/ApiListener: Removing API client for endpoint 'master2'. 0 API clients left.

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 7, 2017

User documentation for signing methods and the linux setups has been added.

Technical documentation will be added tomorrow.

Windows setup wizard depend on pending changes for the Windows wizard itself (tickets are coming).

@dnsmichi
Copy link
Contributor Author

dnsmichi commented Sep 7, 2017

0624a9c...7772e69

gunnarbeutner added a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
Examples:
#5450 (comment)

This also adds code comments where applicable.

refs #5450
gunnarbeutner added a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
…s selected

This also fixes the choice tree for connection-less questions
and prevents empty tickets being stored on disk.

refs #5450
gunnarbeutner added a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
…setups

Better explanation for "CSR Auto-Signing" and a new term "On-Demand CSR Signing".

The Linux setup now accompanies the user step by step on each question asked.
The full table with all the details is moved to the bottom.

TODO: The Windows setup wizard does not support connection-less or ticket-less requests yet.

refs #5450
gunnarbeutner pushed a commit that referenced this issue Sep 12, 2017
gunnarbeutner added a commit that referenced this issue Sep 12, 2017
gunnarbeutner added a commit that referenced this issue Sep 12, 2017
dnsmichi pushed a commit that referenced this issue Sep 22, 2017
Crunsher added a commit that referenced this issue Oct 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/cli Command line helpers area/distributed Distributed monitoring (master, satellites, clients) blocker Blocks a release or needs immediate attention enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants