Thanks for the great discussion here guys! We already started discussion on this internally.
I know you know this, but just to clarify and to keep everyone on the same page:
- The agent update registration is not affected by this discussion, permissions there are already granular
- We are talking about the registration for TLS encryption between server and agent
That being said, I want to make you aware of the so-called registration by proxy. I know it has already been mentioned, but I want to stress this. This method allows you to run most of the registration process on the Checkmk server, and then you only need to transfer the resulting file to the system to be registered and import it there. I do realize that this is not perfectly automatable, but if you implement a smart process, this should work well in the environments outlined here.
To conclude: We are already discussing tightening the permissions concerning the registration process for TLS, so the suggested alternative is not the last word here. Maybe some of you can give it a try and let me know, how it went.