Custom certificate requirements

If you want to use your own certificate to secure the communication between AppMon components, the provided key pair and certificate chain must meet the following criteria:

  • Only RSA key pairs are supported.
  • Key length must be at least 2048 bit.
  • The key pair may not be encrypted.
  • The customer must provide the whole certificate chain, including CA certificates.
  • Key pair and certificates must be provided in PEM format.
  • No additional certificates or chains are allowed. This means the chain may not contain any certificates which are not used by the supplied trusted chain.
  • More than one certificate chain is supported, but there may be only one certificate that signs the key pair itself. This means every trusted chain must start with the same certificate.

The wizard only accepts one file where all items are included. This file can be in PEM format, or a ZIP archive that contains only PEM entries.

Requirements to ZIP archive:

  • No password protected ZIP archive allowed.
  • Only archive files ending with .pem are allowed.

You can verify the pre-conditions with OpenSSL like following example:

$ openssl rsa -in key-pair.pem -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEA6WAAMcTQBBLL6uYuktOMGQj7WvVetkE/IOPdRhRKdov9gLJU
pGu5JBr267/7YwvsCYBKh6p0tgjEOo26Qs3pba728lXoDl+Qem7iXq3VQe0PYNGy
szlJxwUpokBfkE9FMH6JbZtlz/Xlwsc1uuMw+QQtz7u02VWEL1BGccu95EUv5X8e
vs1D3uHZQ+C2mdQBJKcl/QZjtd3PFuxkijvQK+Zk8Bi1ZmyBNARWFsTyGiC7zWtG
ERVHGyQc5dCp4pIrM4oHyhHCXOfYwYaDFNZk8fFHD/jf7gJ4DKT+3qTv6rNQJysn
rzzrwn0x9O5UhR4A0sRY5XgajYoq1J4UGHHKaL+kuhOsSSMGuG7UXh9YIDmn7u+3
AAtQz3cr6wdk9pQ73HzuT0B9pI68UAkWB8TWJfHSgNyHtvGzuZMMbTP/HEPP8mbR
JOsO5OcwUUDsoYPr3MFrVru6QM6VASCe/q2FWjvNOOfU63lgXuxj5NsM1bJnlsRX
v9nqxz010X4GHsB5tPM3xXHykrGVpv03pk00rfSwUaZ3DP5cyOkzRv9Phvj3kiz8
pMJ64WjlMI9N1MjyojF+xM+JWfjuMEBD8XgplDS7OVP8UpKVLm3gj4w9CISfcyxl
nW1fUcfPUXfZiyGel/OAJwfvShvegvp+NWA460App6EczFs/iGw1jE1NrDsCAwEA
AQKCAgACLP3zeNVDpHU4PGskvUoqFZZaU71NT7Bp+xXeCGRlVIrJf2AgpEx2lLXG
nuSWGM9bi1GmkCVEaTKDJT0eUFMjzaTJv5lJQQTUz2HW5iH92lrxWSMkXp1ceKTZ
uWXqr4KCoDthxTgexzkcJsVOd73GJI7Ux/g4qn5v/nyZpP+hOC/pINVFjB5c3pgq
9NZe+sYD9Hb7M+sMEARVP2D0lPgs4JoCTwip6ssNlBjFX5KuQa3ejWh60kr2atDG
J7rdvOUgNuI5tQ6t1Q+FRl7Ee/c29jvmXzifPHCoFYW2x6zg8EkIBHP7Q0Mjbg1g
LjSlhREW5fO6N/NvbGFX2B1x2OW9LbUJIEhIXWdopWNLm01etIfhmtWxPo06dP21
iBTfDxc4w7wADi3SvQfM1UdmUCQ64633WWAho+pVxnAfkG4ZclkDwMrwbS8OigYn
TakIX/G63rPhUu5H8Baf8KpxLyYiPWW99Uebmwqn7C+zhbmHR3eo+VOJDKTsLS89
9XOqv4slxZkMORcopWqsQ6zDU7cWo6H63SqUxkkEs/CAsnJsOo0usw+uwlR2c/3A
+XGFlj+b5lvq7dexcFvVMNB0PSEQEJHKjfsbTy/egkSglXri4C92+HCfxW+0vM9Q
7B03Zs3LTEaQBNY6O1DuUS/DyNh0KYcjQyiDf/fGJ23LJtx2IQKCAQEA+y26nan4
gT19IJZv+Wn6qbwXRhV1/sullIQ2dH9dTjhVxgQXfrtPIFGLAYt3th5UEHSram3E
hGGZ3mYS5vNO7HxU+Y4vkq++y6Mozgqrnp+LR3U4m4S+43/VJWFOhLArNNq4ZIRL
yHCYoAIhEhXzEkOZrEYJcOS+vwpNg64JllRynsYD4VVRfuLf5CHhg9Qtqrhl/4FT
D2nAMIAdKI8uaL5oDMQg/GHKSr16FerI4t2FO/SrxGnAp9+er2JkThatHHD6Jw0U
G7U5PoIBE1xqtS1xT6oHZNUekTIBy7HfWkxMg6P0+9QgI4XxEs6ZOby8eX3SVESR
aze08pAZI+vo8QKCAQEA7drJR1SVehPKQ8q2LDmPm2g5Z7nOqQXJ2IekvXbtgWRf
WSknV2NCOCRv8TzNa+yZWu7KaK6uHOLNrf0U78Da+vThzVaPD69KhoV6pdupOyVu
NIO5OsVGRIKD2LlaBRX2qRooGRMUvCO+Z1rDm0YSZEBLczHRJmqqLSFmW7SYOAQG
8M0rgqC3h55hjs71m4iTQpYWvxMUfX25IcdtUQt67lKeFSrDdE2N618IgzwRcRp/
bx8ix9M5xCn9z+Cw8+X9dIbymMFz+K97ny5vbBxh3YxWiYZJVW7kpZ+EtA68HEsh
Fxf8qzegUK8I2Py3IPA9B3z+p9u5sDrkJkpJaGRH6wKCAQEAjmDMgKShXbkaHYfI
7ytY0C/zTWHK4eRT9oy/RWgQ3s7mJ/mXy9mnL52pWvXQpOYqJq3LoOeZ1qRwkPVx
T4KpwTl0/YTQiKigUVQqRCkeQSsUyyuyK82iWtjSXH79AA/QXgSBM1Eel/7jNQgf
8N2KTFcPW+zTWy/+w9G2QKc9ff5efoumFWvEZ1V5Lhrad1ylijk+cAfBqmH6dEOa
w6vt1afg2SOvwwA3qAghlRziRF7nMCYv24VKlJ4YmDgAvZbzB8Uut0YdmNswGLOe
onfncM3ShiLOUCTST+F1zR4FimznjlM5AiqrERfSoCOGDYljmMZunB/GAm2wXzK5
XXhTMQKCAQEAxIF8yPGYjMLM2DUhTGhBvKLeylM36Wxe1gU6lU0r6zqBi6f0WL4o
dzmjQip5jDBsgjPGBbZLIpI+WwA7y9gJEkw+QObCSrMHXxvnuB9CMRs7cSdiYKua
4f7x7pszRABhSFPTzON2vfjJ1ZmnASFjEHAN5Z3CrXpyHdb6Ocl5+M1a7paS29jr
x5+R+eoB//1VrC1TnYil5Qd5a+7W4Z4accrPz60EzZFFLq/U2JdH0amSnruagHyB
vQ70Ikn/54CbZSoYQxuQNGTGPTyf0TGhqOfIltXawDpdrHedqySBRN7M98dZeBr8
16vEI4ClyxCvWwBpY0SkpHQDCZ9WBmjTAQKCAQEAxeAO4Xo9HWsUkmuyH0VxL5PX
0mhVcYkHBvaBMU2+GBmjq/LJZlDE/bbwBitAf/t43y+IzuY8kB2eul3xiTwSilZs
mSgEjMVVfbB49Tb26WWS4ZBEo4HiC4aNAm0yX6Y1hJAfjC3QsIYOs2IlVTWWWZN6
vcEzBIPd6Mg2nzgtqVeWWKk/VtjNnTAjN68YsPgaN/ZuTw0DdPcQ+4dP8KZZjFaN
fEbSuPUzd5o8DBATwZAwbFZ+G4Ft9F3OoSw+bnjyahyg3JAeakalCE+1vhy1LEJ8
QIiaiT1tYHcc6UGQZMpBoywXVNPEZ1e8u4BjcfgeF/xx0BR8B7mN+JIiWo1hhA==
-----END RSA PRIVATE KEY----- 
$ openssl x509 -in certificate-chain.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6495580910137006250 (0x5a24f06c368658aa)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN=appmon CA
        Validity
            Not Before: Oct  3 22:00:00 2016 GMT
            Not After : Oct  3 22:00:00 2018 GMT
        Subject: CN=appmon
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:e9:60:00:31:c4:d0:04:12:cb:ea:e6:2e:92:d3:
                    8c:19:08:fb:5a:f5:5e:b6:41:3f:20:e3:dd:46:14:
                    4a:76:8b:fd:80:b2:54:a4:6b:b9:24:1a:f6:eb:bf:
                    fb:63:0b:ec:09:80:4a:87:aa:74:b6:08:c4:3a:8d:
                    ba:42:cd:e9:6d:ae:f6:f2:55:e8:0e:5f:90:7a:6e:
                    e2:5e:ad:d5:41:ed:0f:60:d1:b2:b3:39:49:c7:05:
                    29:a2:40:5f:90:4f:45:30:7e:89:6d:9b:65:cf:f5:
                    e5:c2:c7:35:ba:e3:30:f9:04:2d:cf:bb:b4:d9:55:
                    84:2f:50:46:71:cb:bd:e4:45:2f:e5:7f:1e:be:cd:
                    43:de:e1:d9:43:e0:b6:99:d4:01:24:a7:25:fd:06:
                    63:b5:dd:cf:16:ec:64:8a:3b:d0:2b:e6:64:f0:18:
                    b5:66:6c:81:34:04:56:16:c4:f2:1a:20:bb:cd:6b:
                    46:11:15:47:1b:24:1c:e5:d0:a9:e2:92:2b:33:8a:
                    07:ca:11:c2:5c:e7:d8:c1:86:83:14:d6:64:f1:f1:
                    47:0f:f8:df:ee:02:78:0c:a4:fe:de:a4:ef:ea:b3:
                    50:27:2b:27:af:3c:eb:c2:7d:31:f4:ee:54:85:1e:
                    00:d2:c4:58:e5:78:1a:8d:8a:2a:d4:9e:14:18:71:
                    ca:68:bf:a4:ba:13:ac:49:23:06:b8:6e:d4:5e:1f:
                    58:20:39:a7:ee:ef:b7:00:0b:50:cf:77:2b:eb:07:
                    64:f6:94:3b:dc:7c:ee:4f:40:7d:a4:8e:bc:50:09:
                    16:07:c4:d6:25:f1:d2:80:dc:87:b6:f1:b3:b9:93:
                    0c:6d:33:ff:1c:43:cf:f2:66:d1:24:eb:0e:e4:e7:
                    30:51:40:ec:a1:83:eb:dc:c1:6b:56:bb:ba:40:ce:
                    95:01:20:9e:fe:ad:85:5a:3b:cd:38:e7:d4:eb:79:
                    60:5e:ec:63:e4:db:0c:d5:b2:67:96:c4:57:bf:d9:
                    ea:c7:3d:35:d1:7e:06:1e:c0:79:b4:f3:37:c5:71:
                    f2:92:b1:95:a6:fd:37:a6:4d:34:ad:f4:b0:51:a6:
                    77:0c:fe:5c:c8:e9:33:46:ff:4f:86:f8:f7:92:2c:
                    fc:a4:c2:7a:e1:68:e5:30:8f:4d:d4:c8:f2:a2:31:
                    7e:c4:cf:89:59:f8:ee:30:40:43:f1:78:29:94:34:
                    bb:39:53:fc:52:92:95:2e:6d:e0:8f:8c:3d:08:84:
                    9f:73:2c:65:9d:6d:5f:51:c7:cf:51:77:d9:8b:21:
                    9e:97:f3:80:27:07:ef:4a:1b:de:82:fa:7e:35:60:
                    38:eb:40:29:a7:a1:1c:cc:5b:3f:88:6c:35:8c:4d:
                    4d:ac:3b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha512WithRSAEncryption
         22:6d:bc:f1:7b:60:cf:fc:3c:a9:a0:b3:de:59:fb:12:4b:17:
         c8:0b:6e:86:09:82:89:65:d9:83:b3:9a:58:14:b8:c1:95:f0:
         74:8c:4e:dc:95:8e:46:64:39:4d:a2:f0:cf:28:4b:11:20:96:
         a3:43:fd:6e:10:85:e2:32:89:c5:9e:3d:f6:c2:8d:82:62:cd:
         db:aa:16:f3:ea:7c:51:ec:7c:96:61:ad:74:16:50:8f:95:65:
         b3:04:23:40:7f:86:25:01:58:90:d6:f4:67:65:7c:54:74:b1:
         49:0f:9f:1d:94:e6:cc:24:44:7d:81:dd:93:04:5e:8c:bf:1a:
         6c:0f:92:98:cf:4f:b8:f3:c2:54:66:44:8d:51:80:be:95:a0:
         07:e2:71:ea:ee:2c:77:80:cc:cc:65:76:ec:5b:95:1d:27:6d:
         22:f0:e3:61:a8:76:de:67:6e:2f:44:8d:52:b0:c0:6b:04:88:
         c9:a2:94:5a:4e:65:e3:79:97:10:90:aa:8b:68:f2:99:16:d1:
         ad:d2:07:eb:67:be:c1:1a:7e:04:b5:5d:8c:01:23:3f:4d:eb:
         83:8f:a5:38:28:2e:35:b4:d3:f7:2b:25:ac:8d:11:b6:21:2f:
         22:d8:52:c5:00:48:53:61:4f:e5:8a:47:b9:99:10:11:7a:3b:
         dc:e6:57:e2:ca:5f:94:de:4b:cd:e7:f6:9d:05:a8:e6:cc:a1:
         bd:bd:d4:9b:85:20:3f:bb:a9:21:2a:8c:58:bd:b3:95:bb:6c:
         ec:09:db:9b:c9:90:9a:ce:40:bd:dc:ac:0b:41:f4:b8:ff:74:
         13:04:79:ae:70:a9:5a:45:3c:4b:e2:ab:39:39:38:52:72:28:
         a7:40:b8:08:b2:50:3e:a3:bf:84:43:28:a3:11:e0:f6:8b:e7:
         fb:81:e8:a8:e3:4c:23:aa:32:4f:26:ce:f0:ca:3c:24:c0:2e:
         63:a1:bb:7d:33:cb:cb:b2:e5:43:af:74:db:bc:2e:78:0e:ae:
         79:71:2c:e9:c7:d1:20:76:a4:9f:fd:c8:1e:45:46:f3:7d:c9:
         d0:bb:3b:cf:57:22:64:92:12:f5:a9:84:bf:cf:be:85:23:8e:
         3a:c1:ae:76:b0:2e:41:d1:05:69:14:ef:95:9a:0e:f4:7a:af:
         3e:17:54:7e:65:04:5d:60:d9:88:97:b6:d4:5f:d6:6c:9d:c2:
         b1:6f:8a:94:2f:dc:53:cc:0c:e2:5a:78:ef:4f:3b:33:70:5d:
         95:3f:df:c5:6d:78:0e:bd:b5:28:0f:a5:f4:5b:76:72:2b:c0:
         ad:24:45:42:45:e0:e7:2d:00:51:20:35:e8:8e:73:73:68:b2:
         cf:a0:8a:cd:f3:d8:c1:54