Self-signed certificates for agent

It is not recommended to use self-signed certificates in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes.

Although, if self-signed certificates are generated uniquely for each agent and can be rotated easily by configuring and updating NOM Server with those certificates, they can be used to enable mutual authentication for agents.

The NOM agent contains a utility to generate a self-signed certificate suitable for your environment.

$> agent ssc --help

utility to generate self signed certificate for TEST purposes only

sample usage:

to generate a self signed certificate for 'localhost', which could either be
accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or
with IP addresses of '127.0.0.1' or '192.168.100.5';

$> agent ssc -n localhost -o /tmp \
   -d localhost.localdomain,my.custom.domain \
   -i 127.0.0.1,192.168.100.5

it creates /tmp/localhost.cert.pem and /tmp/localhost.key.pem files upon completion.

options (required options marked with *):
  -d, --dns=<dns>[,<dns>...]
                            list of dns names to use to access the
                              server, eg. --dns=localhost.localdomain,test.
                              local.domain
  -i, --ip=<ip>[,<ip>...]   list of IP addresses to use to access the
                              server, eg. --ip=127.0.0.1,192.168.100.55
* -n, --name=<name>         common name to use in generated certificate,
                              eg. --name=localhost
* -o, --output=<output>     target directory, eg. --output=.
  -h, --help                help

If you are generating a certificate for an agent on localhost, localhost is the primary name set as Subject Name field on the certificate and is also used as the name of generated files. Assume there are also a number of virtual machines that access the server through IP addresses 192.168.10.1 and 172.16.10.1. Furthermore, a local DNS alias nom.example.com is set up for localhost.

In order to generate a self-signed certificate for the above example, execute the following command;

agent ssc -n localhost \
	-o ./certificates \
	-d nom.example.com \
	-i 192.168.10.1,172.16.10.1

It generates a key pair and a self-signed certificate and creates localhost.cert.pem and localhost.key.pem files inside ./certificates directory.

You can then use these two files to configure the agents for mTLS authentication with server.

Similarly, if you need to generate agent specific keys for each agent, use a unique agent name for each agent as Subject Name (agent name will be overridden if CONFIG_AGENT_NAME is not set).

Following is a simplified command to generate a self-signed certificate tied to an agent’s name:

agent ssc -n nom-agent-1 -o ./certificates

It generates a key pair and a self-signed certificate and creates nom-agent-1.cert.pem and nom-agent-1.key.pem files inside ./certificates directory.