Werk #14964: Agent controller certificate lifetime
| Component | Checks & agents | ||
| Title | Agent controller certificate lifetime | ||
| Date | Feb 15, 2023 | ||
| Level | Trivial Change | ||
| Class | New Feature | ||
| Compatibility | Compatible - no manual interaction needed | ||
| Checkmk versions & editions |
|
The TLS encryption for agent communication (introduced with Checkmk 2.1) makes use of x509 Certificates to authenticate the agent against the Checkmk site.
Therefore, the Checkmk site issues a certificate to the agent controller of a host on agent registration.
Previously, these certificates used to have a virtually unlimited expiration period.
Starting with this Werk, agent certificates will only be issued with a limited expiration period.
This period is configurable with the global setting "Site management/Agent certificates" and defaults to 5 years.
You can choose from various values, with a minumum of 3 months and a maximum of 50 years.
The agent controller will automatically renew the agent certificate in time before it expires, provided that it's running.
The same holds true for legacy certificates with a too-long validity period.
That said, inactive TLS agents (agent controller daemon(Linux)/Checkmk agent service(Windows) not running) will actually lose their registration on certificate expiration.
To resume agent communication, you'll then have to re-register the agent.