Werk #14964: Agent controller certificate lifetime
| Komponente | Checks & agents | ||
| Titel | Agent controller certificate lifetime | ||
| Datum | 15.02.2023 | ||
| Level | Kleine Änderung | ||
| Klasse | Neues Feature | ||
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||
| Checkmk versions & editions |
|
The TLS encryption for agent communication (introduced with Checkmk 2.1) makes use of x509 Certificates to authenticate the agent against the Checkmk site.
Therefore, the Checkmk site issues a certificate to the agent controller of a host on agent registration.
Previously, these certificates used to have a virtually unlimited expiration period.
Starting with this Werk, agent certificates will only be issued with a limited expiration period.
This period is configurable with the global setting "Site management/Agent certificates" and defaults to 5 years.
You can choose from various values, with a minumum of 3 months and a maximum of 50 years.
The agent controller will automatically renew the agent certificate in time before it expires, provided that it's running.
The same holds true for legacy certificates with a too-long validity period.
That said, inactive TLS agents (agent controller daemon(Linux)/Checkmk agent service(Windows) not running) will actually lose their registration on certificate expiration.
To resume agent communication, you'll then have to re-register the agent.