back to website

Werk #17102: Agent Signature Key Expiry and Notifications

Component Agent bakery
Title Agent Signature Key Expiry and Notifications
Date Jun 17, 2025
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p5 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p35
Not yet released 		Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p44 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Background

Since Checkmk 2.2.0 agent signature keys in the Agent Bakery have inadvertently been created with a shortened lifetime of only two years. As a result, keys created shortly after the release of Checkmk 2.2.0 are about to expire in the next months.

Since Werk #15064, imminent key expiry caused the Check_MK Agent service to go to a WARN / CRIT state, which could cause an overwhelming amount of email notifications for users with a large number of hosts.

Changes

To avoid sending too many notifications, the Check_MK Agent service will no longer change its state to indicate imminent certificate expiry. If a key is fully expired, the service will assume a WARN state.

Instead of individual notifications per affected host administrators will now receive a user notification within the Checkmk GUI when a key is about to expire in 90 days. When a key is about to expire in 20 days all users will also receive a warning via email.

The expiry date of your agent signature keys is now displayed in the list of keys in the Agent Bakery.

In addition to that, newly generated signature keys have a lifetime of 10 years.

This Werk is marked incompatible because we recommend that you review your agent signature keys and renew them if they are about to expire.

Replacing keys before they expire

You can replace signature keys while they are still valid via the agent bakery as follows:

  1. Create a new signature key
  2. Select that new key under Signature keys the agent will accept in the Agent updater rule (you can uncheck the old key)
  3. Bake and sign agents with the old key
  4. Verify that all agents have been updated

Sign future updates with the new key.

Replacing expired keys

If the signature key has expired the agent will no longer accept any updates signed with that key. If no other, still valid keys are available, you will need to force the update on each host manually:

  1. Create a new signature key
  2. Select that new key under Signature keys the agent will accept in the Agent updater rule (you can uncheck the old key)
  3. Bake and sign agents with the new key
  4. Log into the host and force the update without checking signatures using cmk-update-agent --skip-signatures
  5. Use cmk-update-agent show-config to verify that the update succeeded

To the list of all Werks