What is a one sentence summary of your feature request?
Allow Shared CA Signed Cert Between Agents and Enterprise Manager
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
In the current Netwrix architecture, when the Enterprise manager is configured to use CA-signed certificates, each deployed agent requires its own individual CA-signed certificate to establish a secure connection. This design is unmanageable in a large environment with a thousand agents. Additionally, when leveraging vendor generating certificates, the agent certificates are signed by an internal CA, which breaks the full chain of trust expected by vulnerability scanners such as Quays. Even though the enterprise manager itself uses a trusted third-party certificate, scans still detect the agents’ connection as untrusted or self-signed. A further operational limitation is that after switching to the Enterprise Manager to CA- signed cert, it is no longer possible to deploy new agents from the admin console without additional manual steps on each target agent to configure and trust the CA certificate. This manual intervention significantly increases deployment time and administrative overhead even with leveraging SCCM.
Here are a couple ideas:
- Enterprise Manager as CA: Allow the Enterprise manager to act as an internal CA or intermediary, issuing certs to agents automatically. This would preserve the chain of trust anchored in the trusted third-party cert.
- Certificate pinning or Enrollment API: Support agent enrollment via secure API with automatic certificate retrieval from Enterprise Manager without manual steps.
- Mutual TLS with Single CA-Trusted Cert: Enable a design where the enterprise manager’s CA-signed cert can be used for mutual TLS without requiring individual agent certs.
- Bulk Agent Certificate Provisioning: Provide tooling to generate ad distribute certificates at scale with minimal administrative intervention.
- Enhanced Chain Reporting: Ensure agents present a full certificate chain including the trusted root to scanning tools like Qualys.
How do you currently solve the challenges you have by not having this feature?
We have to open a risk acceptance and gradually migrate with new enterprise managers and slowing unenrolling and reenrolling each agent which will take months to prevent a substantial outage.