I need to change the fleet certificate, do you have any idea how can I do it because if i change the certificate all my agent will get disconnected and it will take time to update all the certificated at the agents

Hi @nick fury! If you are using a custom certificate on the endpoints and you are changing to a completely different certificate, then yes, updating it will require modifying the certificate already deployed in the agents.

its not completely different, this is a same URL because the Esperion date of my certificate is in couple of months

OK, but do the certificates share a root/intermediate CA?

@Lucas Rodriguez are you saying that there is nothing I can do? and my agents will be disconnected for some time?

OK, then it's worth testing if your agents really need to have their certificates changed, maybe they'll trust the new certificate because it's signed by the same CA?

Sorry to weirdly revive an old thread, but I’m currently working on this exact problem:

updating it will require modifying the certificate already deployed in the agents

@Lucas Rodriguez Is there a recommended way to do this kind of mass certificate replacement?

Hi Andrew! It depends on what certificate was passed to osquery agents. Did you pass a CA certificate? (If it's a leaf certificate AFAICS you have no choice but to deploy the new certificates to your devices)

We passed this public root certificate, and unfortunately only this public root certificate. It expires in May 2025 and so that’s why a mass replacement/swap/overwrite will be needed. Or a mass re-install, as the backup plan.

Ah it seems it's a leaf certificate so yes you will need mass replacement. If this is a vanilla osquery deployment you might require a separate management tool like chef or puppet to push the new certificate where osquery is expecting it (

--tls_server_certs

).

Makes sense, thank you!