To ensure that your deployments on Windows are as secure as possible, we've updated our code-signing algorithms and certificates.
Dynatrace enables you to monitor even the most highly complex and heterogeneous IT environments, where in many cases, the human mind alone simply can’t make sense of all monitored entities and their relationships so as to understand the nature, impact, and root cause of detected problems and events. Such insights are possible thanks to the high quality of the monitoring data that Dynatrace OneAgent provides to our Davis AI causation engine.
New code-signing keys and certificates follow the evolution of industry-security standards
The certificates for the signatures of all Dynatrace-provided binaries and installations for Microsoft Windows systems were previously based on 2048-bit RSA keys. These keys (and the certificates) have been updated to new keys based on a 384-bit elliptic curve (P-384). In addition, the new certificates are based on the secure hash algorithm 2 (SHA-2) using 384-bit length (SHA-384).
This change is driven by industry standards and is in compliance with recommendations from authorities such as SLL and DigiCert.
New code-signing signature algorithm recommended by NIST
Starting with Dynatrace version 1.225, the hashing algorithm for code signing has changed from the previously used SHA-1 to SHA-256.
This follows the recommendations of the National Institute of Standards and Technology (NIST), which deprecated SHA-1, and has been possible since the de-support of Windows 7 and Windows 2008 R1.
What does this mean for me?
Basically, this means that Dynatrace installations on Windows are more secure. These changes should be totally transparent for Dynatrace end users who have updated Windows systems.
If your Windows hosts are not up to date with the newest Microsoft security updates, some manual actions may be required
- If your system is not up to date and does not support SHA-2, please follow the list of security updates offered on the Microsoft support pages.
- If for some reason you do not have the renewed trusted certificates from DigiCert installed in your certificate store (which normally happens automatically), please install root certificates from the DigiCert site. (If you want to limit the certificates installed, DigiCert Global Root G3 is a good choice.)
Please visit our documentation or contact Dynatrace ONE for further assistance.
Note that all installations and binaries signed and delivered before now remain valid and respected because of the timestamp of the signature.