Icinga CA trusted system wide on Windows

[dratunless]

Icinga uses its own local Certificate Authority to handle certificates between masters, satellites and agents. On Windows servers, the Icinga CA is stored under "Trusted Root Certification Authorities" and "Third-Party Root Certification Authorities" making it trusted system wide.

Should the Icinga CA be trusted only for the Icinga service and not system wide? If so, what is the recommended approach to restrict its trust to only Icinga related components?

[LordHepipud]

Hello

Thank you for your feedback. Is there any particular reason which would go against this?
Icinga would not be the only solution storing a certificate somewhere for ensuring the validation chain of certificates works properly.

As it would only affect the system locally, there shouldn't be an issue there. If a client connects to the server, in general it doesn't have the CA assigned itself, meaning the external authentication would still not be trusted.

[dratunless]

Thank you for considering this issue.

In my opinion if the certificate is only required for the Icinga components, it should be trusted exclusively by those components. There doesn't appear to be a need for the entire system to trust the Icinga CA. This approach would also better align with the principle of least privilege.