Werk #14964: Agent controller certificate lifetime
|Component||Checks & agents|
|Title||Agent controller certificate lifetime|
|Date||Feb 15, 2023|
|Checkmk Edition||Checkmk Raw (CRE)|
|Compatibility||Compatible - no manual interaction needed|
The TLS encryption for agent communication (introduced with Checkmk 2.1) makes use of x509 Certificates to authenticate the agent against the Checkmk site.
Therefore, the Checkmk site issues a certificate to the agent controller of a host on agent registration.
Previously, these certificates used to have a virtually unlimited expiration period.
Starting with this Werk, agent certificates will only be issued with a limited expiration period.
This period is configurable with the global setting "Site management/Agent certificates" and defaults to 5 years.
You can choose from various values, with a minumum of 3 months and a maximum of 50 years.
The agent controller will automatically renew the agent certificate in time before it expires, provided that it's running.
The same holds true for legacy certificates with a too-long validity period.
That said, inactive TLS agents (agent controller daemon(Linux)/Checkmk agent service(Windows) not running) will actually lose their registration on certificate expiration.
To resume agent communication, you'll then have to re-register the agent.