Starting with Resilio Connect 3.8.2 there is a new option that will allow the Agent to authenticate the Management Console by certificate chain, not by the certificate fingerprint. This simplifies certificate update and rotation for Management Console. Management Console certificate can be updated at any moment and it will not prevent Agent from connecting to Management Console as long as whole certificate chain is valid.
To use the feature:
- Ensure that the relevant CA certificate is placed in Agent's operating system trusted root certificate storage.
- Add custom parameter to the Agent profile or configuration file:
allow_server_trusted_cert_hostname
=<name>
.
where<name>
- is the hostname as seen in the Management Console certificate in "Distinguished Name" or "Subject Alternative Name" sections. Multiple names are allowed, use;
and,
as delimiters. - Restart Resilio Agent service
Notes.
Enabling the check by hostname automatically disables the check of certificate by fingerprint.
Windows-operated computers Trusted root storage is individual for every user, therefore ensure to deploy CA certificate either to the user account that actually runs Resilio Agent service or to "Local machine" certificate storage.
Should your CA certificate stay in non-default location - there is a custom parameter mc_ca_path
(can be applied both via Agent Profile or via config file) that allows to specify a custom location for CA certificate on any OS. If defined, it will be the priority location to load the CA, other locations won't be prompted.
Full description of the verification algorithm is available here.
The feature will work even when agents are connecting to the Management Console over IP address instead of DNS name. The agent verifies certificate fields against the parameter, not against actual connection.
Resilio Agent only validates certificate at the moment of connection, therefore certificate expiration will not affect Agent's existing connection.