Self-signed certificates for agent
It is not recommended to use self-signed certificates in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes. Although, if self-signed certificates are generated uniquely for each agent and can be rotated easily by configuring and updating NOM Server with those certificates, they can be used to enable mutual authentication for agents. |
The NOM agent contains a utility to generate a self-signed certificate suitable for your environment.
$> agent ssc --help
utility to generate self signed certificate for TEST purposes only
sample usage:
to generate a self signed certificate for 'localhost', which could either be
accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or
with IP addresses of '127.0.0.1' or '192.168.100.5';
$> agent ssc -n localhost -o /tmp \
-d localhost.localdomain,my.custom.domain \
-i 127.0.0.1,192.168.100.5
it creates /tmp/localhost.cert.pem and /tmp/localhost.key.pem files upon completion.
options (required options marked with *):
-d, --dns=<dns>[,<dns>...]
list of dns names to use to access the
server, eg. --dns=localhost.localdomain,test.
local.domain
-i, --ip=<ip>[,<ip>...] list of IP addresses to use to access the
server, eg. --ip=127.0.0.1,192.168.100.55
* -n, --name=<name> common name to use in generated certificate,
eg. --name=localhost
* -o, --output=<output> target directory, eg. --output=.
-h, --help help
If you are generating a certificate for an agent on localhost
, localhost
is the primary name set as Subject Name field on the certificate and is also used as the name of generated files.
Assume there are also a number of virtual machines that access the server through IP addresses 192.168.10.1
and 172.16.10.1
.
Furthermore, a local DNS alias nom.example.com
is set up for localhost
.
In order to generate a self-signed certificate for the above example, execute the following command;
agent ssc -n localhost \
-o ./certificates \
-d nom.example.com \
-i 192.168.10.1,172.16.10.1
It generates a key pair and a self-signed certificate and creates localhost.cert.pem
and localhost.key.pem
files inside ./certificates
directory.
You can then use these two files to configure the agents for mTLS authentication with server.
Similarly, if you need to generate agent specific keys for each agent, use a unique agent name for each agent as Subject Name (agent name will be overridden if CONFIG_AGENT_NAME
is not set).
Following is a simplified command to generate a self-signed certificate tied to an agent’s name:
agent ssc -n nom-agent-1 -o ./certificates
It generates a key pair and a self-signed certificate and creates nom-agent-1.cert.pem
and nom-agent-1.key.pem
files inside ./certificates
directory.
Was this page helpful?