Hi,
We would like to replace the following certificates because they do not comply with our cryptography policy:
Is this something that can be done, and how can they be replaced?
Hi @Fritzcat,
I think this topic is better asked to the official Checkmk Support.
On the last Checkmk Conference the Checkmk Team talked about changes to the certificate handling.
Here is the Video from the talk:
What changes do you suggest to comply with your cryptography policy?
Regards
Norm
For a brand new installation I dont see an issue to replace them but be aware that checkmk is acting as a certificate authority. I guess your security dpt will not be open to deploy you an intermediate CA.
Hi @Norm,
Thanks for your reaction.
Our certificates need at least 4096 bits of entropy, and use elliptic curve instead of RSA. They can be valid for up to 1 year. In our test environment I am running 2.2.0p1, here is is only possible to adjust the lifetime. All other parameters are our of our control.
Hi @mike1098
There is no need for the certificate to be signed by our root CA. as long as the site and the agents trust each other everything is fine (like it is doing with the original certs). The main issue is that the current certificates are not secure enough by our standards.
We do not have a brand new installation, and moving the files around already bricked the agent registration.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.