Werk #19441: Add cmk-cert tool to manage certificate rotation
| Component | Core & setup | ||
| Title | Add cmk-cert tool to manage certificate rotation | ||
| Date | Apr 21, 2026 | ||
| Level | Trivial Change | ||
| Class | New Feature | ||
| Compatibility | Compatible - no manual interaction needed | ||
| Checkmk versions & editions |
|
With the release of Checkmk 2.5, we have introduced cmk-cert, a command-line tool designed to simplify the rotation of site certificates.
The tool can issues a new site certificate signed by the current Site CA while preserving all configured Subject Alternative Names (SANs). When executed on the central site, it can rotate the site certificate for the local site as well as for any connected distributed sites.
cmk-cert also allows to rotate the site-ca certificate, but this is currently considered experimental and is not recommended for production use. Rotating the Site CA breaks trust with all registered agents, which must then be manually re-registered, and there is no operational benefit to doing so at this time.