Werk #14964: Agent controller certificate lifetime
| Component | Checks & agents |
| Title | Agent controller certificate lifetime |
| Date | Feb 15, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.2.0b1 |
| Level | Trivial Change |
| Class | New Feature |
| Compatibility | Compatible - no manual interaction needed |
The TLS encryption for agent communication (introduced with Checkmk 2.1) makes use of x509 Certificates to authenticate the agent against the Checkmk site.
Therefore, the Checkmk site issues a certificate to the agent controller of a host on agent registration.
Previously, these certificates used to have a virtually unlimited expiration period.
Starting with this Werk, agent certificates will only be issued with a limited expiration period.
This period is configurable with the global setting "Site management/Agent certificates" and defaults to 5 years.
You can choose from various values, with a minumum of 3 months and a maximum of 50 years.
The agent controller will automatically renew the agent certificate in time before it expires, provided that it's running.
The same holds true for legacy certificates with a too-long validity period.
That said, inactive TLS agents (agent controller daemon(Linux)/Checkmk agent service(Windows) not running) will actually lose their registration on certificate expiration.
To resume agent communication, you'll then have to re-register the agent.
