Werk #14964: Agent controller certificate lifetime

Component Checks & agents
Title Agent controller certificate lifetime
Date Feb 15, 2023
Level Trivial Change
Class New Feature
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

The TLS encryption for agent communication (introduced with Checkmk 2.1) makes use of x509 Certificates to authenticate the agent against the Checkmk site.
Therefore, the Checkmk site issues a certificate to the agent controller of a host on agent registration.

Previously, these certificates used to have a virtually unlimited expiration period.

Starting with this Werk, agent certificates will only be issued with a limited expiration period.
This period is configurable with the global setting "Site management/Agent certificates" and defaults to 5 years.
You can choose from various values, with a minumum of 3 months and a maximum of 50 years.

The agent controller will automatically renew the agent certificate in time before it expires, provided that it's running.
The same holds true for legacy certificates with a too-long validity period.
That said, inactive TLS agents (agent controller daemon(Linux)/Checkmk agent service(Windows) not running) will actually lose their registration on certificate expiration.
To resume agent communication, you'll then have to re-register the agent.

To the list of all Werks