Configuring certificates

TLS

How it works

The TLS (1.3) connection is negotiated by the client (poller or agent, depending on the direction) and requires certificates. Depending on the connection direction, the agent/the poller checks that the IP/DNS used to reach the server strictly matches the information in the certificate. If this is not the case, the connection is not allowed. The verification is performed on the alt_names block of the certificate, which may contain several DNS, IP, or CN entries.

Certificate files

Supported formats are :

• public certificate file, CA or wildcard: .crt/.cer
• private key file: .key

Certificate files stored on the poller must be stored in /etc/pki/, either at the root or in a subdirectory. They must have the following permissions:

chmod 644 /etc/pki/agent*

Certificate files stored on the host can be stored in the directory of your choice.

These files can also be saved directly in the certificate store. In this case, it is not necessary to enter them in the configuration made on the host (Host configuration column in the table below).

Summary of possible configurations

The agent connects to the poller

When connecting to the poller, the agent verifies that the IP/DNS entered in the Poller endpoint parameter of the agent configuration strictly matches the information in the certificate (SAN or CN). If this is not the case, the connection is not allowed.

Use case	File(s) on the poller	File(s) on the host (if not loaded in the certificate store)	Poller configuration (interface)	Host configuration
Certificate signed by a CA	Public certificate and private key files	CA file	In the OTLP receiver section: Public certificate: path to the public certificate (example: '/etc'/pki'/certificate.crt) Private key: path to the private key (example: '/etc'/pki'/certificate.key) CA: empty	Poller endpoint: IP/DNS of the poller Private key file/private_key: empty Certificate file: empty Trusted CA's certificate file/ca_certificate: path to the CA Certificate Common Name/ca_name: empty
Self-signed certificate	Public certificate and private key files	Public certificate file	In the OTLP receiver section: Public certificate: path to the public certificate (example: '/etc'/pki'/certificate.crt) Private key: path to the private key (example: '/etc'/pki'/certificate.key) CA: empty, except when a double handshake is needed	Poller endpoint: IP/DNS of the poller Private Key file/private_key: empty Certificate file/public_certificate: empty Trusted CA's certificate file/ca_certificate: path to the public certificate Certificate Common Name/ca_name: empty
Wildcard certificate	Wildcard and private key files	Wildcard file	In the OTLP receiver section: Public certificate: Wildcard certificate file Private key: path to the private key CA: empty	Private Key file/private_key: empty Certificate file/public_cert: empty Trusted CA's certificate file/ca_certificate: path to the wildcard certificate Certificate Common Name/ca_name: empty
Public certificate (managed service, e.g. central Centreon Cloud poller)	None	None	In the OTLP receiver section: Public certificate: empty Private key: empty CA: empty	Poller endpoint: IP/DNS of the load balancer bearing the public certificate Private Key file/private_key: empty Certificate file/public_cert: empty Trusted CA's certificate file/ca_certificate: empty Certificate Common Name/ca_name : empty
Public certificate (key files)	Public certificate and private key files	None	In the OTLP receiver section: Public certificate: path to the public certificate (example: '/etc'/pki'/certificate.crt) Private key: path to the private key (example: '/etc'/pki'/certificate.key) CA: empty	Poller endpoint: IP/DNS of the poller Private Key file/private_key: empty Certificate file/public_cert: empty Trusted CA's certificate file/ca_certificate: empty Certificate Common Name/ca_name: empty

The poller connects to the agent

When connecting to the agent, the poller checks that the IP/DNS entered for the host (in the agent configuration) strictly matches the information in the certificate (SAN or CN). If this is not the case, the connection to this host is not allowed.

Use case	File(s) on the poller	File(s) on the host	Poller configuration (interface)	Host configuration
Certificate signed by a CA	CA file	Public certificate and private key files	In the Host configurations section: CA: path to the CA CA common name (CN): empty	Private Key file/private_key: path to the private key Certificate file/public_cert: path to the public certificate Trusted CA's certificate file/ca_certificate: empty Certificate Common Name/ca_name: empty
Self-signed certificate	Public certificate file	Public certificate and private key files	In the Host configurations section: CA: path to the public certificate CA Common Name (CN): empty	Private Key file/private_key: path to the private key Certificate file/public_cert: path to the public certificate Trusted CA's certificate file/ca_certificate: empty Certificate Common Name/ca_name: empty
Wildcard certificate	Wildcard file	Wildcard and private key files	In the Host configurations section: CA: path to the wildcard certificate Nom commun CA (CN): empty	Private Key file/private_key: path to the private key Certificate file/public_cert: path to the wildcard certificate Trusted CA's certificate file/ca_certificate: empty Certificate Common Name/ca_name: empty

How to generate a self-signed certificate (optional)

If you do not have a certificate, you can generate a self-signed one. To generate a self-signed certificate that is valid for one year, run the following command on your poller or host:

openssl req -new -subj '/CN={server_hostname}' \
                 -addext "subjectAltName = CN:{server_hostname}, DNS:{alt_poller_DNS}, IP:{alt_poller_IP}" \
                 -days 365 -nodes -x509 \
                 -newkey rsa:2048 -keyout {key} -out {cert}

• {key} = path to the private key file
• {cert} = path to the public certificate file
• {server_hostname} = DNS name of the server and/or use {alt_poller_DNS} and/or use {alt_poller_IP} In TLS encryption mode, the DNS/IP of the server used by the client must correspond to a CN or SAN (altName) entry in the certificate ({server_hostname}). The line -subj '/CN={server_hostname}' \ is optional if SANs are defined.

The agent connects to the poller

{server_hostname} must match the DNS/IP used in Poller endpoint (Installer) / *endpoint (json), in the agent configuration, on the host.

The poller connects to the agent

{server_hostname} must match the DNS/IP used in the Host Configurations > Host field of the agent configuration in the interface.

Testing mode: unencrypted communication

You can leave the connection unencrypted for test purposes only. In this mode, you do not need any certificates or tokens.

Note that this connection will only last for one hour. Do not use this setting in production!

To configure this mode, select No TLS from the Encryption level list in the Agent configuration window.

The agent will be configured the following way on the host:

• for Windows, using the corresponding option in the installer or the CLI
• for Linux, using the centagent.json file:

The agent connects to the poller

{
  "log_level":"info",
  "endpoint":"<IP/DNS COLLECTEUR>:4317",
  "encryption" : "false",
  "host":"host_1",
  "log_type":"file",
  "log_file":"/var/log/centreon-monitoring-agent/centagent.log" 
}

The poller connects to the agent

{
  "log_level":"info",
  "endpoint":"0.0.0.0:4317",
  "encryption" : "false",
  "host":"host_1",
  "log_type":"file",
  "log_file":"/var/log/centreon-monitoring-agent/centagent.log" ,
  "reversed_grpc_streaming":true
}