Self-signed certificates for agent
It is not recommended to use self-signed certificates in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes. Although, if self-signed certificates are generated uniquely for each agent and can be rotated easily by configuring and updating NOM Server with those certificates, they can be used to enable mutual authentication for agents. |
The NOM agent contains a utility to generate a self-signed certificate suitable for your environment.
$> agent ssc --help
utility to generate self-signed certificate for TEST purposes only
sample usage:
to generate a self-signed certificate for 'localhost', which could either be
accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or
with IP addresses of '127.0.0.1' or '192.168.100.5';
$> agent ssc -n localhost -o /tmp \
-d localhost.localdomain,my.custom.domain \
-i 127.0.0.1,192.168.100.5
it creates /tmp/localhost.cert.pem and /tmp/localhost.key.pem files upon completion.
options (required options marked with *):
-d, --dns=<dns>[,<dns>...]
list of dns names to use to access the
agent host, eg. --dns=localhost.localdomain,test.
local.domain
-i, --ip=<ip>[,<ip>...] list of IP addresses to use to access the
agent host, eg. --ip=127.0.0.1,192.168.100.55
* -n, --name=<name> common name to use in generated certificate,
eg. --name=localhost
* -o, --output=<output> target directory, eg. --output=.
-h, --help help
If you are generating a certificate for an agent on localhost
, localhost
is the primary name set as Subject Name field on the certificate and is also used as the name of generated files. If CONFIG_AGENT_NAME
is not specified, the Subject Name in agent client certificate along with the host information of agent will be used as the agent name.
In order to generate a self-signed certificate for the above example, execute the following command:
agent ssc -n localhost \
-o ./certificates \
-d nom.example.com \
-i 192.168.10.1,172.16.10.1
It generates a key pair and a self-signed certificate and creates localhost.cert.pem
and localhost.key.pem
files inside ./certificates
directory.
You can then use these two files to configure the agents for mTLS authentication as specified here. Agent certificates also need to be added
to NOM server trust-store through GRPC_SERVER_SECURITY_TRUST_CERT_COLLECTION
or grpc.server.security.trustCertCollection
to mutually authenticate.
If you need to generate agent specific keys for each agent, use a unique agent name for each agent as Subject Name (agent name will be overridden if CONFIG_AGENT_NAME
is not set).
Following is a simplified command to generate a self-signed certificate tied to an agent’s name:
agent ssc -n nom-agent-1 -o ./certificates
It generates a key pair and a self-signed certificate and creates nom-agent-1.cert.pem
and nom-agent-1.key.pem
files inside ./certificates
directory.