Docs: External CA/PKI: clarify intermediate CA cross-signing options

[Al2Klimov]

No description provided.

[Al2Klimov]

@mkayontour had some questions on this section. While answering, I thought of an option to suggest, but then realized it's not documented yet.😅 So before I explained it in 🇩🇪, I thought let's just write it down in 🇬🇧 here:

[oxzi]

Thanks for improving the docs, highly appreciated!

I made some suggestions regarding wording and spelling.

[oxzi]

What should this paragraph say? Sorry for the blunt words, but I am confused reading this.

For Icinga to trust only its own CA, if the latter shall be an intermediate one,

Doesn't Icinga always has to trust its own CA? And isn't this whole chapter about intermediate CAs?

If I get the general gist right, how about something like:

In order to use an intermediate CA with Icinga, you can do one of the following, depending on the policies you have in place.

[Al2Klimov]

If you have Root -> Int₁ -> Leaf, in a sane setup, you'd probably just use Root as Icinga Root CA. But then Icinga trusts Int_n. Some people want Icinga to trust only Int₁, e.g #7719 (comment). But, as already in our docs, OpenSSL doesn't support an intermediate CA as root one, so you have to cross-sign.

But you can do latter in two directions, this is what I'm clarifying here.

[oxzi]

Why is this policy lax and the other strict? This has some implications, potentially leading people to irrational decisions. I would suggest dropping the rating.

Suggested change

	###### Lax policy, Icinga itself issues leave certificates
	###### Leaf certificates issued by Icinga

[oxzi]

Suggested change

	1. Setup Icinga as usual, with its own CA issueing leave certificates
	1. Setup Icinga as usual, with its own CA issuing leaf certificates.

[oxzi]

Suggested change

	2. Cross-sign that CA with the desired parent CA, so that you get an intermediate CA
	with the same subject and public key as the Icinga-own root CA
	2. Cross-sign this CA with the desired parent CA to create an intermediate CA.

[oxzi]

Suggested change

	3. Add that new intermediate CA to your trusted root CAs whereever possible and needed
	to have an uninterrupted chain from your company CA to Icinga leave certificates
	3. Add that new intermediate CA to your trusted root CAs where needed
	to have an uninterrupted chain from your main CA to Icinga leaf certificates.

[oxzi]

Suggested change

	###### Strict policy, Icinga doesn't issue leave certificates
	###### Leaf certificates issued externally

[oxzi]

Please end each sentence with a period and change leave to leaf, as I have suggested above.

Furthermore, this route needs a bit more details, imo. First, how should the intermediate CA be created? Then, unless I am mistaken, how can a CA cross-sign itself? Isn't this self-signing? When referring to "the latter" in your third statement, do you mean the signed one? Please name it.

[Al2Klimov]

I'll have a look.

First, how should the intermediate CA be created?

• We already decided in Doc: Distributed Monitoring: add section "External CA/PKI" #9825 not to train people to do this

[oxzi]

IMHO, this still has very high "draw the rest of the owl" energy.

[mkayontour]

ref/NC/842002