Docs: External CA/PKI: clarify intermediate CA cross-signing options

[Al2Klimov]

No description provided.

[Al2Klimov]

@mkayontour had some questions on this section. While answering, I thought of an option to suggest, but then realized it's not documented yet.😅 So before I explained it in 🇩🇪, I thought let's just write it down in 🇬🇧 here:

[oxzi]

Thanks for improving the docs, highly appreciated!

I made some suggestions regarding wording and spelling.

[oxzi]

What should this paragraph say? Sorry for the blunt words, but I am confused reading this.

For Icinga to trust only its own CA, if the latter shall be an intermediate one,

Doesn't Icinga always has to trust its own CA? And isn't this whole chapter about intermediate CAs?

If I get the general gist right, how about something like:

In order to use an intermediate CA with Icinga, you can do one of the following, depending on the policies you have in place.

[Al2Klimov]

If you have Root -> Int₁ -> Leaf, in a sane setup, you'd probably just use Root as Icinga Root CA. But then Icinga trusts Int_n. Some people want Icinga to trust only Int₁, e.g #7719 (comment). But, as already in our docs, OpenSSL doesn't support an intermediate CA as root one, so you have to cross-sign.

But you can do latter in two directions, this is what I'm clarifying here.

[oxzi]

Please end each sentence with a period and change leave to leaf, as I have suggested above.

Furthermore, this route needs a bit more details, imo. First, how should the intermediate CA be created? Then, unless I am mistaken, how can a CA cross-sign itself? Isn't this self-signing? When referring to "the latter" in your third statement, do you mean the signed one? Please name it.

[Al2Klimov]

I'll have a look.

First, how should the intermediate CA be created?

• We already decided in Doc: Distributed Monitoring: add section "External CA/PKI" #9825 not to train people to do this

[oxzi]

IMHO, this still has very high "draw the rest of the owl" energy.

[mkayontour]

ref/NC/842002

[oxzi]

IMO, this whole section is still a very high-level description that is so abstract that I think it is questionable if it helps anyone. All the steps are descriptive and assume a lot of prior knowledge. Without further pointers, this may only confuse potential users who don't know how to do this, while the few with enough arcane OpenSSL knowledge won't need this information at all.

[oxzi]

Suggested change

	###### Icinga itself issues leaf certificates
	###### Leaf certificates are issued by Icinga

To match the passive tone of the other headline below.

[Al2Klimov]

Feel free to press "Commit suggestion" and trigger GHA once everything else is ✅.

[Al2Klimov]

All the steps are descriptive and assume a lot of prior knowledge.

• Just like Doc: Distributed Monitoring: add section "External CA/PKI" #9825 🤷‍♂️

few with enough arcane OpenSSL knowledge won't need this information at all.

This assumes Icinga "just does OpenSSL things" which is not entirely true. Examples:

• we auto-renew (write) certs in-place (but only if we have the CA)
• Support non-external ECC certificates #7323
• process certificate chains presented by the client #9795
• GetCertificateCN(): if the CN is missing, fall back to the DNS SAN #9889

We aren't as simple as e.g nginx. And even stuff like Postgres/OpenSMTPd have requirements beyond standard X.509:

• certs must be owned by root

So yes, software in general should note somewhere in the manual what it can do and what you may do manually without accidentally setting it on fire.

this may only confuse

Well, at this point you're already in the very last advanced subsection beyond a disclaimer (added in #9825). 🤷‍♂️

potential users who don't know how to do this

... and they SHOULD not do this. :-) But if their employer forces them to do so, we clearly describe what Icinga does by itself and what's up to you. "up to you" as in "don't even contact sales".