Integrate CheckMK 2.5.0p7 into enterprise CA

Hello everyone,

I have inherited a multisite CheckMK instance. After having a look around and upgrading everything, I also realized there are very old Root certificates. There self signed certificates had a thousand years validity period and only 2048 Bit keys.

I got a subordinate CA certificate for CheckMK from our enterprise Root CA and would like to integrate this to our enterprise PKI. I already added the enterprise Root and cmkSubCA certificates to the trusted certs. I replaced them on the filesystem (just for Site CA and Agent signing for now). Can I somehow trigger Check MK to regenerate site certificates?

Also what do I need to look at wehen replacing the message broker and relay CA certificates?

I appreciate any insight because I couldn’t find sufficient documentation. I understand CheckMK is a standalone system by default, but an integrated enterprise PKI would be neat. We are using the pro version.

You can use cmk-cert to trigger Check MK to regenerate site certificates - check the help for further details. However an own certificate isn’t supported.

# as siteuser
cmk-cert --help
cmk-cert rotate --help

Should be tested in a test enviornment first to get familiar with the process agents/remote sites/etc.