Wazuh agent identity verification - SSL Certificates

[Omar K]

Hello Team,

I've configured  my Wazuh agent to use SSL certificates to verify that an agent is authorised to enrol in the Wazuh manager. By following the instructions in the Wazuh documentation- Wazuh agent identity verification - Additional security options . I was able to register devices with the Wazuh Manager. However, it seems the key expires after 30 days, requiring me to generate a new key.

I attempted to extend the certificate key’s validity to a year by using the following command:

openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -days 365 -batch -subj "/C=US/ST=CA/O=Wazuh"

However, this didn’t work. I received the following error message:

Test Server:

2024/10/17 12:19:08 wazuh-agentd: INFO: Requesting a key from server: a…………

2024/10/17 12:19:08 wazuh-agentd: INFO: No authentication password provided

2024/10/17 12:19:08 wazuh-agentd: INFO: Using agent name as: Testserver01…………

2024/10/17 12:19:08 wazuh-agentd: INFO: Waiting for server reply

2024/10/17 12:19:08 wazuh-agentd: ERROR: SSL read (unable to receive message)

2024/10/17 12:19:08 wazuh-agentd: ERROR: If Agent verification is enabled, the agent key and certificates may be incorrect!

Test Laptop:

2024/10/17 12:19:08 wazuh-agentd: ERROR: If Agent verification is enabled, the agent key and certificates may be incorrect!

wazuh-agent: ERROR: Unable to read private key file: sslagent.key

It works fine with the default (presumably 30-day) certificate and  was able to register new devices. The certificate authority (self-signed) should be valid for 365 days, but it isn’t producing a valid key. Do you know why this might be?

Many Thanks

Omar 

[Abdullah Al Rafi Fahim]

Hello Omar,

I have tested this and successfully generated the rootCA.key and rootCA.pem with higher validity and then use them to generate the sslagent.cert certificate. We successfully enrolled a new agent using this rootCA,pem at the Wazuh Manager as Agent Identity verification CA (ssl_agent_ca) and the sslagent.cert and sslagent.key as agent side certificate and key respectively. 

For that, I have followed the following steps.

• Run the following command on the Wazuh server to use Wazuh as the certificate authority and generate  rootCA.key and rootCA.pem file with higher validity (365 days):

openssl req -x509 -days 365 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Wazuh"

• Generate a certificate signing request (CSR) for the Wazuh agent on the Wazuh server:

openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -batch

• Sign the generated agent CSR using the CA keys and generate the sslagent.cert certificate:

openssl x509 -req -days 365 -in sslagent.csr -CA rootCA.pem -CAkey rootCA.key -out sslagent.cert -CAcreateserial

• Then I copied the rootCA.pem file to the manager's /var/ossec/etc/ directory and configured that as the ssl_agent_ca in the manager's ossec.conf file. Restarted the wazuh-manager to make the change effective. 

• I have copied the  sslagent.cert and sslagent.key to the agent and used that as enrollment certificate and key. 

I have followed the same steps as described here: https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/agent-identity-verification.html but used -days 365 options during the CA generation only. Bear in mind that if you are generating a new set of CA, you need to sign the agent CSR and regenerate certificate based on that. If there is a mismatch between the CA and the certificate, the certification verification and enrollment may fail.   

Here I am sharing a screenshot to validate the higher validity of both the rootCA.pem and sslagent.cert.

I hope it helps. Please let us know if you have any further query or issue here.