hey,
i was just wondering if it is possible to bind the checkmk agent bakery certificate to an windows ca?
i am not quite sure if and how that would be possible so i can use an cert for the webinterface/checkmk server in totaly?
Hi,
yes, this is possible for the agent updater plugin.
If you create a TLS certificate for your checkmk monitoring server in your own certificate authority, you can use this certificate to secure your frontend (distribution) apache2 webserver as described here :
When this works successfully, you can add your root ca certificate in the agent updater plugin configuration to only trust tls certificates signed by that ca.
You will have to test and carefully make sure everything works as expected. Try to use http and https in parallel first until everything works as exepected and create a separate agent updater plugin rule for some test hosts with https until you are sure that it really works.
If everything looks good, you can the reconfigure the existing agents to use https with the ca certificate and finally if that was ok and all installed agents are using https, you can remove the port 80 vhost in your apache configuration.
The TLS registration for encrypting the agent communication is a completely different matter, there it is currently not possible to replace the builtin CA created by the checkmk site.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.