Agent Bakery - Use password store for agent sign key

4 votes

Each time when new agents need to be signed, the passphrase for the sign certificate must be entered manually in the GUI (Setup>Agents>Windows, Linux, Solaris, AIX).

It would be a great relief if we could select the passphrase from the CheckMK password store instead of entering it manually. The password store could then also be used for the Rest API.

hqrj3gwapoh397p89v3q.png

Under consideration Agents Suggested by: Lars Sörensen (25 Oct, '24) • Upvoted: 09 Oct, '25 • Comments: 1

Comments: 1
Oldest • Newest • Most likes • Fewest likes

28 Oct, '24
Gerd
Doesn't this completely destroy the idea of the passphrase? I.e. the checkmk server not knowing the passphrase of the key was the point to prevent a compromised checkmk server from immediately being able to bake and sign agents with malicious code/binaries.

Agent Bakery - Use password store for agent sign key

Comments: 1 Oldest • Newest • Most likes • Fewest likes

Comments: 1
Oldest • Newest • Most likes • Fewest likes