diff --git a/CMakeLists.txt b/CMakeLists.txt
index 2a60148d6..efe3fb6ac 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -162,7 +162,6 @@ add_subdirectory(etc)
 add_subdirectory(itl)
 add_subdirectory(doc)
 add_subdirectory(test)
-add_subdirectory(pki)
 add_subdirectory(agent)
 
 set(CPACK_PACKAGE_NAME "Icinga2")
diff --git a/debian/icinga2-common.install b/debian/icinga2-common.install
index b691b2294..48c20e55b 100644
--- a/debian/icinga2-common.install
+++ b/debian/icinga2-common.install
@@ -3,8 +3,6 @@ debian/tmp/etc/icinga2
 debian/tmp/etc/logrotate.d
 debian/tmp/etc/bash_completion.d
 tools/syntax/* 		      usr/share/icinga2-common/syntax
-usr/bin/icinga2-build*
-usr/bin/icinga2-sign-key
 usr/sbin/icinga2-*-agent
 usr/sbin/icinga2-list-agents
 usr/share/icinga2
diff --git a/doc/4-monitoring-remote-systems.md b/doc/4-monitoring-remote-systems.md
index fd8531ea8..523a09c95 100644
--- a/doc/4-monitoring-remote-systems.md
+++ b/doc/4-monitoring-remote-systems.md
@@ -197,9 +197,8 @@ object name.
 
 Example:
 
-    # icinga2-build-key icinga2a
-    ...
-    Common Name (e.g. server FQDN or YOUR name) [icinga2a]:
+    # icinga2 pki new-cert --cn icinga2a --keyfile icinga2a.key --csrfile icinga2a.csr
+    # icinga2 pki sign-csr < icinga2a.csr > icinga2a.crt
 
     # vim cluster.conf
 
@@ -234,22 +233,16 @@ for your Icinga 2 cluster.
 > You're free to use your own method to generated a valid ca and signed client
 > certificates.
 
-Please make sure to export the environment variable `ICINGA_CA` pointing to
-an empty folder for the newly created CA files:
-
-    # export ICINGA_CA="/root/icinga-ca"
-
-The scripts will put all generated data and the required certificates in there.
-
-The first step is the creation of the certificate authority (CA) running the
+The first step is the creation of the certificate authority (CA) by running the
 following command:
 
-    # icinga2-build-ca
+    # icinga2 pki new-ca
 
 Now create a certificate and key file for each node running the following command
 (replace `icinga2a` with the required hostname):
 
-    # icinga2-build-key icinga2a
+    # icinga2 pki new-cert --cn icinga2a --keyfile icinga2a.key --csrfile icinga2a.csr
+    # icinga2 pki sign-csr < icinga2a.csr > icinga2a.crt
 
 Repeat the step for all nodes in your cluster scenario.
 
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index bc655f22f..7c8a8341b 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -19,7 +19,7 @@ file(GLOB DOCSRCS "*.md")
 
 if(UNIX OR CYGWIN)
   install(
-    FILES icinga2.8 icinga2-build-ca.8 icinga2-build-key.8 icinga2-sign-key.8 icinga2-prepare-dirs.8
+    FILES icinga2.8 icinga2-prepare-dirs.8
     DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
   )
 endif()
diff --git a/doc/icinga2-build-ca.8 b/doc/icinga2-build-ca.8
deleted file mode 100644
index fb7b0d037..000000000
--- a/doc/icinga2-build-ca.8
+++ /dev/null
@@ -1,25 +0,0 @@
-.TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
-
-.SH NAME
-icinga2-build-ca \- Build Icinga 2 certificate authority
-
-.SH DESCRIPTION
-icinga2-build-ca \- Build Icinga 2 certificate authority
-
-Requires the environment variable ICINGA_CA set to an empty
-writable directory.
-
-.SH AUTHOR
-Icinga2 is maintained by the Icinga Project <info@icinga.org>.
-
-.SH "REPORTING BUGS"
-Report bugs at <https://dev.icinga.org/>
-.br
-Icinga home page: <http://www.icinga.org/>
-
-.SH COPYRIGHT
-Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
-License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
-.br
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
diff --git a/doc/icinga2-build-key.8 b/doc/icinga2-build-key.8
deleted file mode 100644
index 4947bbbf8..000000000
--- a/doc/icinga2-build-key.8
+++ /dev/null
@@ -1,25 +0,0 @@
-.TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
-
-.SH NAME
-icinga2-build-key \- Build Icinga 2 certificate key
-
-.SH DESCRIPTION
-icinga2-build-key \- Build Icinga 2 certificate key
-
-Requires the environment variable ICINGA_CA set to an empty
-writable directory.
-
-.SH AUTHOR
-Icinga2 is maintained by the Icinga Project <info@icinga.org>.
-
-.SH "REPORTING BUGS"
-Report bugs at <https://dev.icinga.org/>
-.br
-Icinga home page: <http://www.icinga.org/>
-
-.SH COPYRIGHT
-Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
-License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
-.br
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
diff --git a/doc/icinga2-sign-key.8 b/doc/icinga2-sign-key.8
deleted file mode 100644
index 04df388c0..000000000
--- a/doc/icinga2-sign-key.8
+++ /dev/null
@@ -1,25 +0,0 @@
-.TH ICINGA2 "8" "June 2014" "icinga2 - The Icinga 2 network monitoring daemon." "System Administration Utilities"
-
-.SH NAME
-icinga2-sign-key \- Sign Icinga 2 certificate key
-
-.SH DESCRIPTION
-icinga2-sign-key \- Sign Icinga 2 certificate key
-
-Requires the environment variable ICINGA_CA set to an empty
-writable directory.
-
-.SH AUTHOR
-Icinga2 is maintained by the Icinga Project <info@icinga.org>.
-
-.SH "REPORTING BUGS"
-Report bugs at <https://dev.icinga.org/>
-.br
-Icinga home page: <http://www.icinga.org/>
-
-.SH COPYRIGHT
-Copyright \(co 2012\-2014 Icinga Development Team (http://www.icinga.org)
-License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
-.br
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
diff --git a/icinga2.spec b/icinga2.spec
index f95e70529..c42a42cb6 100644
--- a/icinga2.spec
+++ b/icinga2.spec
@@ -453,10 +453,6 @@ exit 0
 %config(noreplace) %attr(0640,%{icinga_user},%{icinga_group}) %{_sysconfdir}/%{name}/zones.d/*
 %config(noreplace) %{_sysconfdir}/%{name}/scripts/*
 %{_sbindir}/%{name}
-%{_bindir}/%{name}-build-ca
-%{_bindir}/%{name}-build-key
-%{_bindir}/%{name}-sign-key
-%{_sbindir}/%{name}-list-objects
 %{_sbindir}/%{name}-setup-agent
 %{_sbindir}/%{name}-discover-agent
 %{_sbindir}/%{name}-forget-agent
@@ -468,9 +464,6 @@ exit 0
 %{_datadir}/%{name}
 %exclude %{_datadir}/%{name}/include
 %{_mandir}/man8/%{name}.8.gz
-%{_mandir}/man8/%{name}-build-ca.8.gz
-%{_mandir}/man8/%{name}-build-key.8.gz
-%{_mandir}/man8/%{name}-sign-key.8.gz
 %{_mandir}/man8/%{name}-prepare-dirs.8.gz
 
 %attr(0750,%{icinga_user},%{icingacmd_group}) %{_localstatedir}/cache/%{name}
diff --git a/pki/CMakeLists.txt b/pki/CMakeLists.txt
deleted file mode 100644
index 76494e3b6..000000000
--- a/pki/CMakeLists.txt
+++ /dev/null
@@ -1,34 +0,0 @@
-# Icinga 2
-# Copyright (C) 2012-2014 Icinga Development Team (http://www.icinga.org)
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software Foundation
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
-
-if(UNIX OR CYGWIN)
-  configure_file(icinga2-build-ca.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca @ONLY)
-  configure_file(icinga2-build-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key @ONLY)
-  configure_file(icinga2-sign-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key @ONLY)
-
-  install(
-    FILES ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key
-          ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key
-    DESTINATION ${CMAKE_INSTALL_BINDIR}
-    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
-  )
-
-  install(
-    FILES openssl.cnf openssl-quiet.cnf pkifuncs vars
-    DESTINATION ${CMAKE_INSTALL_DATADIR}/icinga2/pki
-  )
-endif()
diff --git a/pki/icinga2-build-ca.cmake b/pki/icinga2-build-ca.cmake
deleted file mode 100644
index af06ca0b0..000000000
--- a/pki/icinga2-build-ca.cmake
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
-
-. $ICINGA2PKIDIR/pkifuncs
-
-check_pki_dir
-
-if [ `ls -1 -- $ICINGA_CA | wc -l` != 0 ]; then
-	echo "The Icinga CA directory must be empty." >&2
-	exit 1
-fi
-
-chmod 700 $ICINGA_CA >/dev/null 2>&1
-
-echo '01' > $ICINGA_CA/serial
-touch $ICINGA_CA/index.txt
-
-cp $ICINGA2PKIDIR/vars $ICINGA_CA/
-. $ICINGA_CA/vars
-
-KEY_DIR=$ICINGA_CA openssl req -config $ICINGA2PKIDIR/openssl-quiet.cnf -new -newkey rsa:4096 -x509 -days 3650 -keyform PEM -keyout $ICINGA_CA/ca.key -outform PEM -out $ICINGA_CA/ca.crt && \
-	chmod 600 $ICINGA_CA/ca.key && \
-	echo -e "\n\tIf you want to change the default settings for server certificates check out \"$ICINGA_CA/vars\".\n"
diff --git a/pki/icinga2-build-key.cmake b/pki/icinga2-build-key.cmake
deleted file mode 100644
index e23e07dad..000000000
--- a/pki/icinga2-build-key.cmake
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/sh
-ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
-
-. $ICINGA2PKIDIR/pkifuncs
-
-if [ -z "$1" ]; then
-	echo "Syntax: $0 <name>" >&2
-	exit 1
-fi
-
-name=$1
-
-check_pki_dir
-
-if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
-	echo "Please build a CA certificate first." >&2
-	exit 1
-fi
-
-[ -f $ICINGA_CA/vars ] && . $ICINGA_CA/vars
-
-[ -z "$REQ_COUNTRY_NAME" ] && export REQ_COUNTRY_NAME="AU"
-[ -z "$REQ_STATE" ] && export REQ_STATE="Some-State"
-[ -z "$REQ_ORGANISATION" ] && export REQ_ORGANISATION="Internet Widgits Pty Ltd"
-[ -z "$REQ_ORG_UNIT" ] && export REQ_ORG_UNIT="Monitoring"
-[ -z "$REQ_COMMON_NAME" ] && export REQ_COMMON_NAME="Icinga CA"
-[ -z "$REQ_DAYS" ] && export REQ_DAYS="3650"
-
-REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA_CA" openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
-	openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.tmp -CAserial $ICINGA_CA/serial && \
-	chmod 600 $ICINGA_CA/$name.key && \
-	openssl x509 -in $ICINGA_CA/$name.tmp -text > $ICINGA_CA/$name.crt && \
-	rm -f $ICINGA_CA/$name.csr $ICINGA_CA/$name.tmp
diff --git a/pki/icinga2-sign-key.cmake b/pki/icinga2-sign-key.cmake
deleted file mode 100644
index a57a6fa8b..000000000
--- a/pki/icinga2-sign-key.cmake
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
-
-. $ICINGA2PKIDIR/pkifuncs
-
-if [ -z "$1" ]; then
-	echo "Syntax: $0 <csr-file>" >&2
-	exit 1
-fi
-
-check_pki_dir
-
-csrfile=$1
-
-if [ ! -e "$ICINGA_CA/$csrfile" ]; then
-	echo "The specified CSR file does not exist."
-	exit 1
-fi
-
-pubkfile=${csrfile%.*}
-
-if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
-	echo "Please build a CA certificate first." >&2
-	exit 1
-fi
-
-[ -f $ICINGA_CA/vars ] && . $ICINGA_CA/vars
-
-if ! openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$csrfile -outform PEM -out $ICINGA_CA/$pubkfile.crt -CAserial $ICINGA_CA/serial; then
-	echo "Signing the CSR failed." >&2
-	exit 1
-fi
-
-cn=`openssl x509 -in $pubkfile.crt -subject | grep -Eo '/CN=[^ ]+' | cut -f2- -d=`
-
-case "$cn" in
-  */*)
-    echo "commonName contains invalid character (/)."
-    exit 1
-  ;;
-esac
-
-
-mv $pubkfile.crt $cn.crt
-pubkfile=$cn
-
-# Make an agent bundle file
-tar cz -C $ICINGA_CA $pubkfile.crt ca.crt | base64 > $ICINGA_CA/$pubkfile.bundle
-
-echo "Done. $pubkfile.crt and $pubkfile.bundle files were written."
-exit 0
diff --git a/pki/openssl-quiet.cnf b/pki/openssl-quiet.cnf
deleted file mode 100644
index db13e8c72..000000000
--- a/pki/openssl-quiet.cnf
+++ /dev/null
@@ -1,238 +0,0 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file		= $ENV::HOME/.oid
-oid_section		= new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions		= 
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir		= $ENV::KEY_DIR		# Where everything is kept
-certs		= $dir			# Where the issued certs are kept
-crl_dir		= $dir			# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-#unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/ca.crt 		# The CA certificate
-serial		= $dir/serial 		# The current serial number
-crlnumber	= $dir/crlnumber	# the current crl number
-					# must be commented out to leave a V1 CRL
-crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/ca.key		# The private key
-RANDFILE	= $dir/.rand		# private random number file
-
-x509_extensions	= usr_cert		# The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt 	= ca_default		# Subject Name options
-cert_opt 	= ca_default		# Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions	= crl_ext
-
-default_days	= 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= default		# use public key default MD
-preserve	= no			# keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy		= policy_anything
-
-# For the CA policy
-[ policy_match ]
-countryName		= match
-stateOrProvinceName	= match
-organizationName	= match
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName		= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-prompt                  = no
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-CN                              = $ENV::REQ_COMMON_NAME
-
-# SET-ex3			= SET extension number 3
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-extendedKeyUsage=clientAuth,serverAuth
-keyUsage=digitalSignature
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
diff --git a/pki/openssl.cnf b/pki/openssl.cnf
deleted file mode 100644
index 072b2a9c1..000000000
--- a/pki/openssl.cnf
+++ /dev/null
@@ -1,270 +0,0 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME			= .
-RANDFILE		= $ENV::HOME/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file		= $ENV::HOME/.oid
-oid_section		= new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions		= 
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir		= $ENV::KEY_DIR		# Where everything is kept
-certs		= $dir			# Where the issued certs are kept
-crl_dir		= $dir			# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-#unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
-new_certs_dir	= $dir/newcerts		# default place for new certs.
-
-certificate	= $dir/ca.crt 		# The CA certificate
-serial		= $dir/serial 		# The current serial number
-crlnumber	= $dir/crlnumber	# the current crl number
-					# must be commented out to leave a V1 CRL
-crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/ca.key		# The private key
-RANDFILE	= $dir/.rand		# private random number file
-
-x509_extensions	= usr_cert		# The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt 	= ca_default		# Subject Name options
-cert_opt 	= ca_default		# Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions	= crl_ext
-
-default_days	= 365			# how long to certify for
-default_crl_days= 30			# how long before next CRL
-default_md	= default		# use public key default MD
-preserve	= no			# keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy		= policy_anything
-
-# For the CA policy
-[ policy_match ]
-countryName		= match
-stateOrProvinceName	= match
-organizationName	= match
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName		= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-
-####################################################################
-[ req ]
-default_bits		= 2048
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_default		= $ENV::REQ_COUNTRY_NAME
-countryName_min			= 2
-countryName_max			= 2
-
-stateOrProvinceName		= State or Province Name (full name)
-stateOrProvinceName_default	= $ENV::REQ_STATE
-
-localityName			= Locality Name (eg, city)
-
-0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= $ENV::REQ_ORGANISATION
-
-# we can do this but it is not needed normally :-)
-#1.organizationName		= Second Organization Name (eg, company)
-#1.organizationName_default	= World Wide Web Pty Ltd
-
-organizationalUnitName		= Organizational Unit Name (eg, section)
-organizationalUnitName_default	= $ENV::REQ_ORG_UNIT
-
-commonName			= Common Name (e.g. server FQDN or YOUR name)
-commonName_max			= 64
-commonName_default		= $ENV::REQ_COMMON_NAME
-
-#emailAddress			= Email Address
-#emailAddress_max		= 64
-
-# SET-ex3			= SET extension number 3
-
-[ req_attributes ]
-challengePassword		= A challenge password
-challengePassword_min		= 4
-challengePassword_max		= 20
-
-unstructuredName		= An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType			= server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-extendedKeyUsage=clientAuth,serverAuth
-keyUsage=digitalSignature
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-
-
-# Extensions for a typical CA
-
-
-# PKIX recommendation.
-
-subjectKeyIdentifier=hash
-
-authorityKeyIdentifier=keyid:always,issuer
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
diff --git a/pki/pkifuncs b/pki/pkifuncs
deleted file mode 100644
index f99f0b521..000000000
--- a/pki/pkifuncs
+++ /dev/null
@@ -1,12 +0,0 @@
-check_pki_dir() {
-	if [ -z "$ICINGA_CA" ]; then
-		echo "Please set the ICINGA_CA environment variable to the path for your Icinga CA." >&2
-		echo "e.g.: export ICINGA_CA=\"$HOME/icinga-ca\"" >&2
-		exit 1
-	fi
-
-	if [ ! -d "$ICINGA_CA" ]; then
-		echo "The path you specified in the ICINGA_CA environment variable ($ICINGA_CA) does not exist or is not a directory." >&2
-		exit 1
-	fi
-}
diff --git a/pki/vars b/pki/vars
deleted file mode 100644
index a4e650663..000000000
--- a/pki/vars
+++ /dev/null
@@ -1,8 +0,0 @@
-# Icinga 2 default CA vars
-
-export REQ_COUNTRY_NAME="AU"
-export REQ_STATE="Some-State"
-export REQ_ORGANISATION="Internet Widgits Pty Ltd"
-export REQ_ORG_UNIT="Monitoring"
-export REQ_COMMON_NAME="Icinga CA"
-export REQ_DAYS="3650"