Werk #14965: Dedicated CA for agent certificates

Component Checks & agents
Title Dedicated CA for agent certificates
Date Feb 15, 2023
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.2.0b1
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

On agent registration, the contacted site issues an x509 certificate to the requesting agent controller.
Previously, this agent certificate has been signed by the site-local CA, that's also used to issue certificates used for distributed monitoring, and to issue the agent receiver's certificate.

Starting with this Werk, each Checkmk site will use a dedicated agent CA to issue certificates to requesting agent controllers.

This change slighly improves security, as agent receiver and agent controller can't be authenticated with the same root certificate anymore, making it impossible to act as each other.
While this situation has effectively been prevented before, this is now assured already on transport level, rather than on application level.

To prevent locking out registered agents, preexisting (Created with a Checkmk version prior to this Werk) Checkmk sites will still accept certificates issued by the site CA in parallel to the new agent CA.
New sites will only accept certificates issued by the agent CA.

This change is also loosely coupled with the new certificate lifetime mentioned in Werk #14964.
Since active agent controllers will automatically renew their certificate to a new lifetime-limited one, this also means that they will migrate to new new CA automatically.

As an additional benefit, experienced users now can replace the agent signing CA with their own one. This has to be done directly at the site's home directory, though.
The new agent CA is located at ~/etc/ssl/agents/ca.pem and can be replaced with a new one in the same format.
To migrate from one CA to another, it's also possible to add additional trusted root certificates to ~/etc/ssl/agents/.

Even though this Werk is related to security, it does not fix any exploitable issue.
To aid automatic scanners, we assign a CVSS score of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

To the list of all Werks