Self-signed certificates for agent

It is not recommended to use self-signed certificates in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes.

Although, if self-signed certificates are generated uniquely for each agent and can be rotated easily by configuring and updating NOM Server with those certificates, they can be used to enable mutual authentication for agents.

The NOM agent contains a utility to generate a self-signed certificate suitable for your environment.

$> agent ssc --help

utility to generate self-signed certificate for TEST purposes only

sample usage:

to generate a self-signed certificate for 'localhost', which could either be
accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or
with IP addresses of '127.0.0.1' or '192.168.100.5';

$> agent ssc -n localhost -o /tmp \
   -d localhost.localdomain,my.custom.domain \
   -i 127.0.0.1,192.168.100.5

it creates /tmp/localhost.cert.pem and /tmp/localhost.key.pem files upon completion.

options (required options marked with *):
  -d, --dns=<dns>[,<dns>...]
                            list of dns names to use to access the
                              agent host, eg. --dns=localhost.localdomain,test.
                              local.domain
  -i, --ip=<ip>[,<ip>...]   list of IP addresses to use to access the
                              agent host, eg. --ip=127.0.0.1,192.168.100.55
* -n, --name=<name>         common name to use in generated certificate,
                              eg. --name=localhost
* -o, --output=<output>     target directory, eg. --output=.
  -h, --help                help

If you are generating a certificate for an agent on localhost, localhost is the primary name set as Subject Name field on the certificate and is also used as the name of generated files. If CONFIG_AGENT_NAME is not specified, the Subject Name in agent client certificate along with the host information of agent will be used as the agent name.

In order to generate a self-signed certificate for the above example, execute the following command:

agent ssc -n localhost \
	-o ./certificates \
	-d nom.example.com \
	-i 192.168.10.1,172.16.10.1

It generates a key pair and a self-signed certificate and creates localhost.cert.pem and localhost.key.pem files inside ./certificates directory.

You can then use these two files to configure the agents for mTLS authentication as specified here. Agent certificates also need to be added to NOM server trust-store through GRPC_SERVER_SECURITY_TRUST_CERT_COLLECTION or grpc.server.security.trustCertCollection to mutually authenticate.

If you need to generate agent specific keys for each agent, use a unique agent name for each agent as Subject Name (agent name will be overridden if CONFIG_AGENT_NAME is not set).

Following is a simplified command to generate a self-signed certificate tied to an agent’s name:

agent ssc -n nom-agent-1 -o ./certificates

It generates a key pair and a self-signed certificate and creates nom-agent-1.cert.pem and nom-agent-1.key.pem files inside ./certificates directory.