Adds feature checking Icinga Agent cert sign state

doc/100-General/10-Changelog.md

@@ -22,6 +22,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 ### Enhancements
 
 * [#469](https://github.com/Icinga/icinga-powershell-framework/pull/469) Improves plugin doc generator to allow multi-lines in code examples and updates plugin overview as table, adding a short description on what the plugin is for
+* [#495](https://github.com/Icinga/icinga-powershell-framework/pull/495) Adds feature to check the sign status for the local Icinga Agent certificate and notifying the user, in case the certificate is not yet signed by the Icinga CA
 
 ## 1.8.0 (2022-02-08)
 

doc/300-Knowledge-Base.md

@@ -20,3 +20,4 @@ For this reason you will find a list of Icinga knowledge base entries below. Ent
 | [IWKB000010](knowledgebase/IWKB000010.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. |
 | [IWKB000011](knowledgebase/IWKB000011.md) | The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details Error: The term 'Use-Icinga' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. |
 | [IWKB000012](knowledgebase/IWKB000012.md) | Icinga for Windows cannot be used with Microsoft Defender: `Windows Defender Antivirus has detected malware or other potentially unwanted software` |
+| [IWKB000013](knowledgebase/IWKB000013.md) | The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required |

doc/knowledgebase/IWKB000013.md

@@ -0,0 +1,17 @@
+# Icinga Knowledge Base - IWKB000013
+
+## Short Message
+
+The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required
+
+## Example Exception
+
+![EventLog Defender](../images/04_knowledgebase/IWKB000013/01_Cert_Not_Signed.png)
+
+## Reason
+
+This warning will occur, whenever Icinga for Windows is fetching the Icinga Agents local certificate, for compiling the `IcingaForWindows.pfx` certificate or by accessing the certificate for dynamically creating the REST-Api TLS certificate.
+
+## Solution
+
+To resolve this issue, you will have to make sure the certificate is signed by the `Icinga CA` by either manually signing the certificate on the `CA master` with `icinga2 ca sign <Fingerprint>` or by using a ticket during the setup process for signing the certificate right away.

lib/core/icingaagent/getters/Get-IcingaAgentHostCertificate.psm1

@@ -27,6 +27,16 @@ function Get-IcingaAgentHostCertificate()
 
     $Certificate = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $CertPath;
 
+    if ($null -ne $Certificate) {
+        if ($Certificate.Issuer.ToLower() -eq ([string]::Format('cn={0}', $Hostname).ToLower())) {
+            Write-IcingaConsoleWarning `
+                -Message 'The Icinga Agent certificate "{0}" seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work. Please check the state of the certificate and complete the signing process if required. [IWKB000013]' `
+                -Objects $CertPath;
+
+            Write-IcingaEventMessage -EventId 1506 -Namespace 'Framework' -Objects $CertPath;
+        }
+    }
+
     return @{
         'CertFile'   = $CertPath;
         'Subject'    = $Certificate.Subject;

lib/core/logging/Icinga_EventLog_Enums.psm1

@@ -101,9 +101,15 @@ if ($null -eq $IcingaEventLogEnums -Or $IcingaEventLogEnums.ContainsKey('Framewo
             1505 = @{
                 'EntryType' = 'Warning';
                 'Message'   = 'Icinga for Windows JEA context not available';
-                'Details'   = 'The Icinga for Windows JEA session is no longer available and is attempted to be restarted on the system. This could have either happenend due to a crash or a user action, like restarting the WinRM service.';
+                'Details'   = 'The Icinga for Windows JEA session is no longer available and is attempted to be restarted on the system. This could have either happened due to a crash or a user action, like restarting the WinRM service.';
                 'EventId'   = 1505;
             };
+            1506 = @{
+                'EntryType' = 'Error';
+                'Message'   = 'Icinga Agent certificate not signed by Icinga CA';
+                'Details'   = 'The local Icinga Agent certificate seems not to be signed by our Icinga CA yet. Using this certificate for the REST-Api as example might not work yet. Please check the state of the certificate and complete the signing process if required [IWKB000013]';
+                'EventId'   = 1506;
+            };
             1550 = @{
                 'EntryType' = 'Error';
                 'Message'   = 'Unsupported web authentication used';
@@ -113,7 +119,7 @@ if ($null -eq $IcingaEventLogEnums -Or $IcingaEventLogEnums.ContainsKey('Framewo
             1551 = @{
                 'EntryType' = 'Warning';
                 'Message'   = 'Invalid authentication credentials provided';
-                'Details'   = 'A web request for a client was rejected because of invalid formated base64 encoded credentials.';
+                'Details'   = 'A web request for a client was rejected because of invalid formatted base64 encoded credentials.';
                 'EventId'   = 1551;
             };
             1552 = @{