mTLS (Mutual TLS)
Agent authentication using certificates.
Overview
SlimRMM uses mutual TLS (mTLS) to authenticate agents. Both the server and agent present certificates, ensuring bidirectional trust.
How It Works
1. Agent connects to server
2. Server presents its certificate
3. Agent validates server certificate
4. Agent presents its certificate
5. Server validates agent certificate
6. Connection establishedCertificate Hierarchy
Root CA (SlimRMM PKI)
├── Server Certificate
└── Agent Certificates
├── Agent 1
├── Agent 2
└── Agent NCertificate Lifecycle
Generation
- Agent registers with server
- Server generates certificate
- Certificate sent to agent
- Agent stores certificate locally
Renewal
- Certificates valid for 1 year (configurable)
- Agent requests renewal before expiry
- Seamless renewal without downtime
Revocation
- Revoke from admin panel
- Agent cannot reconnect
- CRL (Certificate Revocation List) checked
Configuration
Server Settings
bash
PKI_CA_CERT_PATH=./certs/ca.crt
PKI_CA_KEY_PATH=./certs/ca.key
PKI_CA_VALIDITY_DAYS=3650 # 10 years
PKI_CERT_VALIDITY_DAYS=365 # 1 yearAgent Storage
| Platform | Location |
|---|---|
| Linux | /var/lib/slimrmm/ |
| macOS | /var/lib/slimrmm/ |
| Windows | %ProgramData%\SlimRMM\certs\ |
Security Benefits
- Mutual verification: Both parties authenticated
- No passwords over wire: Certificate-based
- Per-agent identity: Unique certificate per agent
- Revocation support: Disable compromised agents
- Encryption: All data encrypted in transit