Often times you need to update your SSL certificate for your Checkmk server. This may be because it expired or as part of your ongoing operations and / or security best practices. Whatever the case, your Checkmk agents require a know SSL certificate to be bundled with the agent in order for the automatic agent update feature to work.

If you create a new rule and replace the existing certificate you may run into a problem since the new certificate is not yet available to the agent. The solution is quite simple:

1. generate a new certificate

2. bake the new certificate into the agent (leaving the previous certificate as well)

3. wait until all agents have updates

4. modify the agent by removing the old certificate from point 2

The last step will once again trigger a bake and sign process and another agent update. This is normal as the old certificate will still be in the pem provided by the agent however after this update the agent will have just the new certicicate.

So the trick is to bake both certificates, the old with the new, make sure all your systems have updated and then remove the old certificate.