circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Generate SSL certificates

Generate new SSL certificates for securing communication between AgentX Server and AgentX Clients.

hashtag
Prerequisites

  • AgentX Server installed in Logpoint

  • AgentX Manager installed in Logpoint

  • Administrator access to Logpoint

  • In distributed Logpoint setups, you must generate certificates on the Search Head

hashtag
Procedure

  1. Go to Settings > Configuration and select AgentX.

  2. Select Certificates.

  3. Select Generate.

  4. In the confirmation dialog, select Yes to confirm certificate generation.

  5. After generation completes, select Download to download the client certificates (sslagent.cert and sslagent.key).

  6. Replace existing certificates on all AgentX Clients with the downloaded certificates.

hashtag
Expected outcome

AgentX generates three new certificates:

  • rootCA.pem - Root Certificate Authority certificate (synced automatically to AgentX Server)

  • sslagent.cert - Client authentication certificate (must be downloaded)

  • sslagent.key - Client certificate key (must be downloaded)

Existing agents continue using old certificates until you replace them.

hashtag
Verification

  1. Go to Settings > Configuration > AgentX > Certificates.

  2. Verify that the certificate generation timestamp is updated.

After replacing certificates on agents:

  1. Go to Settings > Configuration > AgentX > Agents.

  2. Verify that agents reconnect successfully and appear in the agents list.

hashtag
Replace certificates on Windows agents

  1. Navigate to the AgentX Client installation directory (default: C:\Program Files (x86)\ossec-agent\cert).

  2. Back up the existing certificate files.

  3. Copy the downloaded sslagent.cert and sslagent.key files to the cert directory.

  4. Restart the AgentX Client service:

    • Open Services (services.msc)

    • Right-click the AgentX or OSSEC service

    • Select Restart

hashtag
Replace certificates on Linux agents

  1. Navigate to the certificate directory:

  1. Back up the existing certificate files:

  1. Copy the downloaded certificate files to the directory.

  2. Restart the wazuh-agent service:

hashtag
Configuration guidelines

Generate certificates before large deployments If you plan to deploy AgentX to many endpoints, generate custom certificates before installation to avoid replacing default certificates on all agents later.

In distributed mode, certificates sync automatically When operating in distributed mode, AgentX automatically syncs rootCA.pem to all Logpoint nodes in the cluster. You only need to generate certificates once on the Search Head.

New agents after generation use old certificates Agents installed after certificate generation still receive the default certificates during installation. You must manually replace certificates on these agents as well.

Keep client certificates secure Store the downloaded client certificates securely. Anyone with access to these certificates can authenticate agents to your AgentX Server.

hashtag
Next steps

Last updated

Was this helpful?