6 files changed, 192 insertions, 24 deletions
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index c9cf534..9a71926 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -141,7 +141,7 @@ profiles::icinga2_agent::pki_api_password: >
     RmIpGTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAs0An2QOnxac51GTU
     gCG3gDAX0FOzW/oWi8c1PDIFb+0B4cTQRi9gP2fzugKu0bp0FBB7akZV6Zx0
     T5GP0WQAzU0=]
-profiles::icinga2_agent::master_host: monitor.infra.cacert.org
+profiles::icinga2_common::master_host: monitor.infra.cacert.org
 profiles::icinga2_common::ca_certificate: |
     -----BEGIN CERTIFICATE-----
     MIIEyjCCArKgAwIBAgIVAMGxGJbZJq/vXMuXAnAC8QvFtvhMMA0GCSqGSIb3DQEB
@@ -171,3 +171,33 @@ profiles::icinga2_common::ca_certificate: |
     Dlkc/kuv3szLVWx63FvOPc6ra9rmmdwmDaVTd9fGlo/NrquCQOGu59hiACPept+I
     y+bP1kZ0Z+5qrmlX0zrcLspzXOyY0VX/YZ3unzyp
     -----END CERTIFICATE-----
+profiles::icinga2_common::master_certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIE+jCCAuKgAwIBAgIUKbBk4rIgCPf77noCKofD3WKBR6EwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE5MDcyMTA5NTYzMVoXDTM0MDcx
+    NzA5NTYzMVowIzEhMB8GA1UEAwwYbW9uaXRvci5pbmZyYS5jYWNlcnQub3JnMIIC
+    IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7Z9Yf0kd7Jo88QH/xhQNYvZr
+    m3rL2nIz+B67HFgQu6Q1o6wqYvn6bccTjdQFhrHcDob9XpoCs18IwDIG9fBhNR5k
+    ph7XjVzv40vh3tjjzfkvoKzPyEDxJI98DTTkDKK3UfsvTL0PwlS1xrBRW8IbbKmq
+    NNA7p8VJJanzJCv0k7idpLmmyKeRoBF0HFaGynFcoOwjoLib9polUExD8kSRfemO
+    Lwq46BGORX7id49J3DHPQv89dm4N0BPjnWGMd1x3puk+GgptEzFDNEigNmFerojM
+    KqoIhNEi4+bB3tz/aU6Sn0vm4Jm0tnlkrdX7O1nBvTvrwBa6jt94v0n9amvFV+Lz
+    Kde4ukvn8FRoEmJMaiHgSMjlU0KwawhCqC67Rf+L+nwhi4o916BcLzCMkEHbCAW0
+    4uBZJdj29BwvWkfd7rrydUMZuBJIsKydJ13H9/kWUlsgqXayWpMl7qrJSx7XiY0Z
+    909Nmu6+ZphlqesRcOFyZHB4hkBP8tZA9lYHOjSBFI340Fni38cMKrJQiyKAZXUQ
+    mE/i3a1J5ZXuKmYjhha4A3MtEvxrXbWP7rokYCqShJO72ThGM6RRwnEmyL4J46eR
+    GHta3apZjOqjHjY9Za+bGbQFjQ12/YanP8DeXh4Y3vxwxu3jkUnOf0VF//qav52i
+    YXn9PnJlQ2GhRtTWoccCAwEAAaM1MDMwDAYDVR0TAQH/BAIwADAjBgNVHREEHDAa
+    ghhtb25pdG9yLmluZnJhLmNhY2VydC5vcmcwDQYJKoZIhvcNAQELBQADggIBACTq
+    0WxyhdboNInC8xNDlA/gHdWXyDx6GfOwSt9C6VDtJ4h+khoI79QKJ37cWBnhihCH
+    +evaTNo/LiXfGh41vZPKDMPrZeTJ6Zqhs/Fj5dXZ9cOh14ySDnSicHUrDvpeolE6
+    AB4GA4vyDQ5FmtCb2ewpBgFHfoOqPWdcS9S2mTrdWHIvqEfam7A1lX32SfHY6HRc
+    kf+S9z0/rk0sCOdmBuX/mcgEFtGuT23uVIJcWxWxiqW1W9BBd+ZKMXPk7A/9F3E1
+    JtI6ZQ2ToF+uxPA79ZUZaYNMSg7kS0ZtayHnxzKOK5pIiUgWBPUVGNXlindw2TGJ
+    RApS/QCanaIrxxqS1xSjahVowHD9EWcJJBxvfDX125k/FQ3gZbEvqrcSCoPClZbQ
+    K+rjjG/7v/+kU6Ruj2jopPltuS2ERLJdQyvsU7t1cpEoQ/ZbiYO2hBTguZEfY1Ek
+    BhyZWVak8Daxe/UgV7wPs8o4EsEphWie121C54a6kGmaqv+RoslWD+PzZfJA1ku+
+    5UnNaUuqg5bD/Gxx0YpMSk9UmLpa7EUeAYw8teGwqoRiQYq6zaxkSCS3i+MlNZ7p
+    W5JiUD886njJsNu04yJObI9GVzukudVZ8SlwabM0I42aDfNpDN/AJY/ah00nTHL2
+    RUVoXfI86h8Jq7YdRNqT5g2I0HgclOi1pjGwvAuK
+    -----END CERTIFICATE-----
diff --git a/hieradata/nodes/monitor.yaml b/hieradata/nodes/monitor.yaml
index 7e4f97b..82007a1 100644
--- a/hieradata/nodes/monitor.yaml
+++ b/hieradata/nodes/monitor.yaml
@@ -143,3 +143,114 @@ profiles::icinga2_master::ca_key: >
     QHfjLm7Vy2L/2vsAqJHmaYwLJbnCO4KbCGzoLFBBE2gz17wYIPIgDbVxjNRu
     W1HABIXMJ8IEQJnN9mDYZWjUsutf8FRFsfAPMoAGX5M5tLVrTUQbXUjtpJ6v
     RA3cuu7epXa+RGV/NdgBV1k=]
+profiles::icinga2_master::master_key: >
+    ENC[PKCS7,MIIOTQYJKoZIhvcNAQcDoIIOPjCCDjoCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAutSMdSCHNMnSQAidQt5A5eXTNNvVU1BsJxTb
+    lXX37CV5XjtRao7+B/hl8/QXXOf5neNCh/Q5yRcr47cyJnb4zFcJrIluWHeF
+    OSN4fDPogxIBixupVwWuEmxfDGUd+3QRmL8gEBXHVntzQPRW2AR7bgTldFy4
+    d6XpVnFSGLkH2C/RdWeCnKsgumbBITo0mJnNvHB7H7tPHxMMvsIbJvmqu9lC
+    OxJPZXIXnY6TlLuuIPiHpzrGsToB4dKrUYlQ9Y9KHHFN2NCRfMUNZkAd7vLR
+    ZLzTFq7XK3CaDqmAMWisbI2kBHf7GAkZJky+vxeRRsJ2B2JREw/JmqF5tD+Y
+    aVZz9DCCDQ4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEECubd68R7PosC6nC
+    SnB2SqCAggzg3aZRHoxfBmvg91xRcWB2UKb2azHGHfHjatP7dcL5EQ3l8JGd
+    fwzaUkb92HEtLBV9VqlNEnuZS3MKRxZGJFTtZ/P/Sg+gla5BEHgSX6YnGW41
+    s1JulZDqkrSecpnBQ3j+w9apExWv4dHFJJ4jlR+S1GaPh4RaKZisozc0Ln7+
+    zTZKKRWl/NCDPIw4+gpPpAWVH2xGpmUAv/kW1BGw1WQJDvr5sZ0+TgYybQbu
+    24PI7u59wvyHiQx/qNmlk11AAw2ysvTG9hbwc0JrfbinV6eE6ibB/tloQNAl
+    /eGeNxxwOIKRFMQanWzsCUctdbUJxDoIyMBnFEf8muiLW/t4IND7+D/jK+wb
+    UnwKsZJv9uwzgGAAy2RANTDoOjPnxAN1Ikx9TapGd/TnyN1LvwGKw2YbqgBX
+    dyUqanIrHgr4SVvCr71Acw8qbUvt6NPMIgEAmF7+JD2J220WxpUu3yqYD9aS
+    i0XCmTW03ObUQVqJaW/weO7PzaPcN7hhHt/XnJC/ezXCpQl8+yc3cKyjUJY1
+    NI2RHztyp6Oill4FvBAkc1XAyVQGy8bpkAYh63ozQPuv9GlaCeL51/PYa6K9
+    AGHXPh7Zf96hpeY0qNyW3W6vu8gvL3ApGUxkI+dimC/wfwQuR5969aCYxNtu
+    siRVEUHXpIEZcGqP6dFDHieu3XC3/Dq9EPUvQ2gMO8M/SKAa4t0Ga5u2nvhD
+    xKO/UdbnP1SD9sBiL6Tlqp+iw3K+7opCho+2mJ5Z6+finL5I4ih9pNW/BONM
+    TN0J9ySDA7fFBMCM0mMlgkvd6/xts63tq8TxNn3SpJxL7RZTp2DDu8aH+gto
+    e1nDtg+f4LJwBbCpLNbN6G0Blq5IMoo0jTDuddJTig6/xaY1AcrKIWI8ZqHR
+    FAaFRJw0mhpn3R6psrEU464tvKQD5jQtlwUkYSV7M2CX9cGtgO0mw2YtNM/X
+    xTrOyymSxO64zQDce2N0m6p4/jPUPna2NLcLhxRvA4x9Esn8TEsyAUOOPv2L
+    5fKQhOAfJmy7WxAR44phUexnsZIL6YculN+wJdkmBjYVrNm9b5XndXecbr09
+    knseandJDRPShJkVILCQ/HqlDGMy3Bg4IGup3jGW495o5NHF69ExmGHFu7zi
+    NAL2DwEqgJnfOllkwT6WTgGsJp8mXhg/2kY5zAJTb69dWGMGKKR1pHrJSyql
+    f3F6gPkop6Om0I795+u0eQPPQJu3/48n+1wvHuHG6gGLQI/2vqTv5f1cSz96
+    qCQ/5T/LQzrLwpsIlsrS6TBlboPEUHgw9v62naSVWwwqVZm4BRJQi+O1gqtw
+    Fwp+mNSn8RIZD7SVdlpGD0141FSYDXS3KuS3Qm9NCBSxVBrXgW/xKy02vDKb
+    4eAmkxDB80VeTOLoq08bO+8gA6kksXEO6JR6ZEhH9d6DbyvwfgYws82sTi9V
+    4t31pAFyFr2lERrP8dNchwiNbMrSYyY77+ko6MG0V/oAxPlPQyzNzM139JRz
+    H2vzIW/wq8+tNRDdvF7M0iK8EdPUj/Q6Q+BBKREp98ArjmjFLEWx8nRLjy48
+    O9BzJ9ZGZlKKxPwx3uFptPHMn//syZmVdEfqHdsXO1AWRbqOqj5dB65Dq/m4
+    +Bo/kXJAL/thltK7uO/F/yKrh686Dl2l49uQbTpksi7Sa/b+CHmWFmkzKvQH
+    eJ2SOdjjRjST83dlc8QMjkF2WqYf450j6rd2KzK32ZoeQbd9z7yM9/6imbs5
+    n7Cz6J7UE37EFdCO5YdAmnHEYrkJsF9MhSMYLfHa1t5UxeoYuTWdQLJ0k/G+
+    g/bI1UraseYYZjh6ldxU0skCW/aS58nFurFFlqBYdnKaUyH1IQ0EWCG1XMzn
+    qpI1rjtVy5LKi5aTFYYerXXmzYgNJo36YqP+7yYr+W4MQhT1px79dFLPTd/G
+    dlu1SlDMjkT5e/XS08nGxgIMXgbZP1bRlX8mx0sqkjlfEiQ1bLGavDyrz+aV
+    p5SpdGXpTREg+svWtrdCPMSne7AdSUhjlKFOwSDz4TWWojKv81LWys9OmeDI
+    dE8urQTOxcTgp1CL7PElWb5Yizl70PvBqBKQW6iXtZzRvislnYmhctcUu2T+
+    bwjEt4YIp1SwuklXdm4sskGpRSmGxYmqWEg7gasSVoQLdlLIUYG5EcyinTOe
+    wTuaZUnUjiCznLVn0Y2Ti8PF7dH4Dfm4SO8ZAyR8F68CLDsgefoaMfPo3mYg
+    Y4R5OywpS1ma90tpliF9IPh7YS66sUJS5GS7KFbeHRRxyLGUQM/fO/SgD48T
+    nIEKFDeqbVOHmyvUVQCTc6+1QLnWrh6ywc7WO3Li/MCEheuL7WVd+ANfrjUe
+    E1s+GIGg4TFc9CDCkDck/oc94gL7VtOJqgVpIy1XhtF1akaIbSoEJoP4oR0E
+    l4YpEEDX+v4CwGAeVfnHsnPCXgF73OTbxsg6604YChK7SXxdKMuBR0ThmEFM
+    Ir3aC56wR3Lbbjo4IVAUH9HvhImuJZ9h4mkl5DwCsAa+z7Zf8DYlDiz8ssrz
+    LvByHO018A+Ox/7pKekMVIiF8nboNNsDDgqblGkKkLRWOwHB3J/w5zeB/m5P
+    +iPSsB7Jp9g4QTUdG+PBoDQ7MI/i2vz7qnttP8KT4mDqd0ivznr9jWnrVL+v
+    SrDvH80hoa7sIcHaWjeMXUWTh0b0D/cMi5wSE5fG0kiZU5/cSiA+pVzgBO0A
+    3+QXg+AYO60f233fkuvpJtdc6m4/E9pnKsXSsyGFPzn6/fUYDktzyYycOmnc
+    G/8fwwWT8iiUujpOb1vt/uR7GN4Ctph5F1pcR+YaqAi8URQPM0qrHL5EsmJH
+    HGhXzdc/M4HisYF0/TIhYDQqim0Uw7z0P1YRhW0TZiLtdwBYowQYfa9VJExX
+    HMGm7ljcb2WIrxdWqzAjo2mrae0spGwBsMimfJOQo7t1DPtceBYrQdzONcM5
+    EiJcRjb0+vDMCUqfT9G0hJh/5T1YexZg2uCtQTX2spglQYGA/XCVxhQwhY8j
+    PKGEwgo8tL13dfuxsRzyZH/VdKfcw4O1tXXIIrrIcrRZ3XIWXXlnd+dDHPwr
+    cnqlas2ZEXhgl2JufICUBtt0fUSjwrvaMXpHCo1SZLaAAOXrpZQ5q/dC4Mv1
+    KWAyllfGdFMY9152DUlpwieZuFSyN8KFOib3e+ADyfaFBdybrItvbGyftgRU
+    xS817bHHlCkOZ+Wm35/GZsTZgPtp2q4MvJXVLNtZp7NL1V7Ya62ww154ZOY/
+    RbyKLdzUrb4SezX4Ie9KEZH78dTzTKxKZgtjkW1x466HMv8FSMsSDL87hV9Q
+    B8T+zVTRMCs+fYXqi8BXdUBMT6j/CRw57U8Dwg+ECwBlyIFsdwkKCYoUGn5u
+    m5575yug7bsA1+qJbEMAH8JbhFWWu6p0Tqdfy+++4y6dGJ6EAfdnXnNdvO5l
+    yWl575+iUMgkFQONbcfwkrESuCaZA/kLkVIXkB89LTjPUrfQldYSc+g0Ycdu
+    xf0m9IDT5lcF3JFgEjr+cYQx5AR3VmFeHE2rQlZgxaBtAaQ7heGRUCYCcGFq
+    2CAMf0+A9Ps7i8TWA5HtxQHRA+8pLX7XYV+RYSfkravU2CUueTVFyKBrxjL1
+    MkVh1TyVgkdxYsGtZfwYmxnSqgbnJM9q6g/IgCwLkFWnSx4ie6b7ViWiC7yI
+    0AFK/xnqAAAKe0Ea35xJIoH7oCq8GClCMlf4Le8xm9/7CI1C1DMQT70pdORw
+    U1bAKkFNxm6gSG0qcjFemeiUvUgHJKW0qOYsSLSUF2ff53GpDkzjfoFOITol
+    PSIeSUVKF2kFR0rM8ua3wYypD1TDPxXSILfdAGOrvo6FUunB+QrScjbC5ra7
+    mpTZcofdgIo5yOdI2AoBoCS5RIB+jDPBoXijqZwHcW2ALPHgiIoaWQXDn+9v
+    zYsYcjM/82MaJi/v14FfC1qlbtLcCsaVWWYU7Sev0zAdGQR5W9efLkXHoR+z
+    VUL9Itaghxs781cxUUzz39KzxSQxHXvD7BRdDCqLjSO9cXrCmRJAlASC1mvU
+    Mbdey/FtflKXb1icJIP9khSdN0lRmMSixg+kCYaC5FPSBPQNj133rQ5UQOrx
+    CjYeVJwbQOc/Qs1m1vkJ7FO5ayHX5jhgFSCrbG1modbpaSU4h4yaPGTe2DUz
+    kdFTFUSa6MO+OCiw2FNhW5mW71zl5RiF7//zq5TNg4bcA/cwQ9yM7qjMoKMx
+    jygQIqVIvSVzvhQ3YuMhuDE1/CyD3bBJOhCPaApS5TCOQmG1gxLLZ7GWC0mE
+    qMAiqHBqbsfnUiGmmOJNlq3GLT9zrnwfNjtHd0iNOS9ywKXv/z5huJEe+ody
+    kJzAgE2N8q67q07xvVlVjgczpx5Unoqr0T7WMm4qfjMETvzvnXZDWQGblQLz
+    7VhxsSi51i50RV767AFtbk6GAgw=]
+profiles::icinga2_master::master_csr: |
+    -----BEGIN CERTIFICATE REQUEST-----
+    MIIEnjCCAoYCAQAwIzEhMB8GA1UEAwwYbW9uaXRvci5pbmZyYS5jYWNlcnQub3Jn
+    MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7Z9Yf0kd7Jo88QH/xhQN
+    YvZrm3rL2nIz+B67HFgQu6Q1o6wqYvn6bccTjdQFhrHcDob9XpoCs18IwDIG9fBh
+    NR5kph7XjVzv40vh3tjjzfkvoKzPyEDxJI98DTTkDKK3UfsvTL0PwlS1xrBRW8Ib
+    bKmqNNA7p8VJJanzJCv0k7idpLmmyKeRoBF0HFaGynFcoOwjoLib9polUExD8kSR
+    femOLwq46BGORX7id49J3DHPQv89dm4N0BPjnWGMd1x3puk+GgptEzFDNEigNmFe
+    rojMKqoIhNEi4+bB3tz/aU6Sn0vm4Jm0tnlkrdX7O1nBvTvrwBa6jt94v0n9amvF
+    V+LzKde4ukvn8FRoEmJMaiHgSMjlU0KwawhCqC67Rf+L+nwhi4o916BcLzCMkEHb
+    CAW04uBZJdj29BwvWkfd7rrydUMZuBJIsKydJ13H9/kWUlsgqXayWpMl7qrJSx7X
+    iY0Z909Nmu6+ZphlqesRcOFyZHB4hkBP8tZA9lYHOjSBFI340Fni38cMKrJQiyKA
+    ZXUQmE/i3a1J5ZXuKmYjhha4A3MtEvxrXbWP7rokYCqShJO72ThGM6RRwnEmyL4J
+    46eRGHta3apZjOqjHjY9Za+bGbQFjQ12/YanP8DeXh4Y3vxwxu3jkUnOf0VF//qa
+    v52iYXn9PnJlQ2GhRtTWoccCAwEAAaA2MDQGCSqGSIb3DQEJDjEnMCUwIwYDVR0R
+    BBwwGoIYbW9uaXRvci5pbmZyYS5jYWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4IC
+    AQCt2+BVjtxBcuXqcHyAHIWjFke7gWAC4LH8hm7Gt5mcg5EKYANC0d7UNPM7k9vU
+    bcZwN3sMYxfBLgrMZGpbzIXgRKxufMhTc1HSZzHs5Peq+pTz/F43dfxKOHZNWrW1
+    PJoPUQwocK3MfKDjZVVnFT9PD1VwnhumTrGMRx+x/545F0tU2Zam0+vJor2VROzx
+    Y7aQ2v1K0Ac4pEigL9Ld1/mou2q5PyLR5DO0zo5/u8+QP6Oqslgy+FJ6OmUZZUua
+    4G/1BVooLzbYIRRG/7kQNMmIIROQBCUP0upB7t9qvKvGs5JZwLLgv/M54yFtzI1z
+    bjrYZ1AbC/XutJ81jV9HplLS8XTne3Q2NJ+C3m61VizRp04INtPmKsH1Fj4stU3w
+    f0utTMTvcSeOsbIrl/rgeaEhou71sJdclqvSioAQlxdmAUqDPuffZgPnq5eeqNBL
+    9Q1dfJWjNzgKrK5wSpa43wgentHOLDsgylju/L0oDP5L0JWvpXIsB2M/maBTRxUc
+    rZqKlRUxYBJ8XPsyzOQTgnJcZ+hmZTXZ7jDtP6qgLEtho+E0ubGtIpXBgeX5HN1U
+    yTxDP2rWDE3fKgm17An4i+n+6IU4u0M+3s1dE0wrKpzUC2VbKBPrsGTRPNKCny7W
+    UmvCla/Pixt8dYj9NTuBfoh5/m4A/uD/iVVVO54RA9u8Fg==
+    -----END CERTIFICATE REQUEST-----
diff --git a/sitemodules/profiles/manifests/icinga2_agent.pp b/sitemodules/profiles/manifests/icinga2_agent.pp
index e3402ce..dd7ef8c 100644
--- a/sitemodules/profiles/manifests/icinga2_agent.pp
+++ b/sitemodules/profiles/manifests/icinga2_agent.pp
@@ -6,12 +6,10 @@
 # Parameters
 # ----------
 #
-# @param pki_api_user     Icinga2 API user name for retrieving a
-#                         ticket for a certificate signing request
-# @param pki_api_password Icinga2 API password for retrieving a ticket
-#                         for a certificate signing request
-# @param master_host      Icinga2 master hostname
-# @param master_ip        Icinga2 master IP address
+# @param pki_api_user       Icinga2 API user name for retrieving a
+#                           ticket for a certificate signing request
+# @param pki_api_password   Icinga2 API password for retrieving a ticket
+#                           for a certificate signing request
 #
 # Examples
 # --------
@@ -33,15 +31,15 @@
 class profiles::icinga2_agent (
   String $pki_api_user,
   String $pki_api_password,
-  String $master_host,
 ) {
   include 'profiles::icinga2_common'
+
   file { '/var/lib/icinga2/setup_agent.sh':
     ensure  => file,
     content => epp('profiles/icinga2_agent/setup_agent.sh.epp', {
       pki_api_user     => $pki_api_user,
       pki_api_password => $pki_api_password,
-      master_host      => $master_host,
+      master_host      => $::profiles::icinga2_common::master_host,
     }),
     owner   => 'nagios',
     group   => 'nagios',
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
index 1703d2b..83afceb 100644
--- a/sitemodules/profiles/manifests/icinga2_common.pp
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -8,7 +8,9 @@
 # Parameters
 # ----------
 #
-# @param ca_certificate         Icinga2 CA certificate content
+# @param ca_certificate     Icinga2 CA certificate content
+# @param master_host        Icinga2 master hostname
+# @param master_certificate Icinga2 master certificate content
 #
 # Examples
 # --------
@@ -27,6 +29,8 @@
 # Copyright 2019 Jan Dittberner
 class profiles::icinga2_common (
   String $ca_certificate,
+  String $master_host,
+  String $master_certificate,
 ) {
   if $::lsbdistcodename == 'stretch' {
     apt::pin { 'icinga2_backports':
@@ -46,19 +50,27 @@ class profiles::icinga2_common (
   package { 'icinga2':
     ensure => latest,
   }
-  file { '/etc/icinga2/pki':
+  file { '/var/lib/icinga2/certs':
     ensure  => directory,
     owner   => 'nagios',
     group   => 'nagios',
     mode    => '0700',
     require => Package['icinga2'],
   }
-  file { '/etc/icinga2/pki/ca.crt':
+  file { '/var/lib/icinga2/certs/ca.crt':
     ensure  => file,
     content => $ca_certificate,
     owner   => 'nagios',
     group   => 'nagios',
     mode    => '0644',
-    require => File['/etc/icinga2/pki'],
+    require => File['/var/lib/icinga2/certs'],
+  }
+  file { "/var/lib/icinga2/certs/${master_host}.crt":
+    ensure  => file,
+    content => $master_certificate,
+    owner   => 'nagios',
+    group   => 'nagios',
+    mode    => '0644',
+    require => File['/var/lib/icinga2/certs'],
   }
 }
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index fb3e132..06506b6 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -14,6 +14,8 @@
 #                               Icinga2 node authentication
 # @param api_users              Icinga2 API users
 # @param ca_key                 Icinga2 CA private key content
+# @param master_key             Icinga2 master private key content
+# @param master_csr             Icinga2 master CSR
 #
 # Examples
 # --------
@@ -39,6 +41,8 @@ class profiles::icinga2_master (
   String $icinga2_ticket_salt,
   Array[Hash[String, Variant[String, Tuple[String, 1]]]] $api_users,
   String $ca_key,
+  String $master_key,
+  String $master_csr,
 ) {
   include 'profiles::icinga2_common'
 
@@ -97,12 +101,6 @@ class profiles::icinga2_master (
     mode    => '0644',
     require => Package['icinga2'],
   }
-  file { '/etc/icinga2/features-enabled/api.conf':
-    ensure => link,
-    target => '/etc/icinga2/features-available/api.conf',
-    owner  => 'root',
-    group  => 'root',
-  }
   file { '/etc/icinga2/features-enabled/checker.conf':
     ensure => link,
     target => '/etc/icinga2/features-available/checker.conf',
@@ -139,6 +137,22 @@ class profiles::icinga2_master (
     mode    => '0640',
     require => Package['icinga2'],
   }
+  file { "/var/lib/icinga2/certs/${::facts['fqdn']}.key":
+    ensure  => file,
+    owner   => 'nagios',
+    group   => 'nagios',
+    mode    => '0600',
+    content => $master_key,
+    require => File['/var/lib/icinga2/certs'],
+  }
+  file { "/var/lib/icinga2/certs/${::facts['fqdn']}.csr":
+    ensure  => file,
+    owner   => 'nagios',
+    group   => 'nagios',
+    mode    => '0644',
+    content => $master_csr,
+    require => File['/var/lib/icinga2/certs'],
+  }
   file { '/var/lib/icinga2/ca':
     ensure  => directory,
     owner   => 'nagios',
@@ -163,8 +177,12 @@ class profiles::icinga2_master (
     require => File['/var/lib/icinga2/ca'],
   }
   exec { "/usr/sbin/icinga2 node setup --master --zone ${::facts['fqdn']} --cn ${::facts['fqdn']}":
-    creates => "/var/lib/icinga2/certs/${::facts['fqdn']}.crt",
-    require => Package['icinga2'],
+    creates => "/etc/icinga2/features-enabled/api.conf",
+    require => [
+      Package['icinga2'],
+      File['/var/lib/icinga2/ca/ca.key'],
+      File["/var/lib/icinga2/certs/${::facts['fqdn']}.key"]
+    ],
     notify  => Service['icinga2'],
   }
   exec { '/usr/sbin/icinga2 feature enable ido-pgsql':
@@ -192,8 +210,7 @@ class profiles::icinga2_master (
       File['/var/lib/icinga2/ca'],
       File['/var/lib/icinga2/ca/ca.key'],
       File['/var/lib/icinga2/ca/ca.crt'],
-      File['/etc/icinga2/pki'],
-      File['/etc/icinga2/pki/ca.crt'],
+      File['/var/lib/icinga2/certs/ca.crt'],
     ],
   }
 }
diff --git a/sitemodules/profiles/templates/icinga2_agent/setup_agent.sh.epp b/sitemodules/profiles/templates/icinga2_agent/setup_agent.sh.epp
index 20e2132..ad9d830 100644
--- a/sitemodules/profiles/templates/icinga2_agent/setup_agent.sh.epp
+++ b/sitemodules/profiles/templates/icinga2_agent/setup_agent.sh.epp
@@ -20,6 +20,6 @@ TICKET=$(/usr/bin/curl -f -s --cacert /etc/icinga2/pki/ca.crt \
 --zone "<%= $::facts["fqdn"] %>" \
 --parent_zone "<%= $master_host %>" \
 --parent_host "<%= $master_host %>" \
---trustedcert "/etc/icinga2/pki/ca.crt" \
+--trustedcert "/var/lib/icinga2/certs/<%= $master_host %>.crt" \
 --accept-commands \
 --disable-confd