Deploy a new key pair and certificate chain
The currently used key pair can be replaced by:
- A wizard-generated self-signed certificate.
- A customer-provided self-signed certificate.
See Custom Certificate Requirements if you plan to import your own.
See Disallow Private Key deployment to Client and Collector for information on securely deploying a new Private Key and Certificate in a a potentially insecure environment.
You must restart the AppMon Server and, if applicable, the Memory Analysis Server after deployment.
You must also restart all Collectors to apply changes after a certificate deployment.
Do not apply the certificate management wizard if you can not restart at least the AppMon Server processes.
If you choose to create a self-signed certificate, remember that the created certificate is not an officially trusted one.
When connecting using a browser, you typically receive a warning about an unknown identity, as shown in the following:
You must accept the certificate to proceed. For details consult the documentation of your browser.
Use the Certificate wizard to:
- Check preconditions.
- Create a new self-signed key pair and certificate, or import a customer provided one.
- Deploy the items to the Dynatrace Server, Memory Analysis Server, Collector and Client
- Restart mandatory and optional processes.
Start the wizard using the Client by selecting Settings > Dynatrace Server > Certificate Management > Manage and clicking Start wizard under either Generate and Deploy or Import and Deploy.
Step 1 - Check preconditions
The wizard informs about the necessary restarts after a deployment. It also gives feedback if the Collectors and the Memory Analysis Server are connected and the Collectors are the same version. This helps to avoid manual steps after certificate deployment.
Offline Memory Analysis Server and / or Collector(s)
If you do not operate a Memory Analysis Server in the AppMon tool chain, ignore the offline warning. Otherwise, start it and restart the wizard.
Click Create list of Collector details button to export the list of affected Collectors.
Be aware that you can proceed, but offline collectors do not receive the new key pair and therefore they can not connect later. Ignore this warning only if you know what you are doing.
Collector version mismatch
Similar to the offline warning, an error warning appears if Collectors earlier than 6.3 are present. In that case you can not proceed. You must upgrade all collectors first. Export the collector details list to assist in this.
Resolve issues manually later
See Advanced Features - Certificates, Private Keys and Keystore to handle components that were offline or version-mismatched (Collectors) during deployment.
Step 2 - Certificate chain and keys - create or import
Alternative 1 - create a self-signed certificate
Enter values for CN and ISSUER, choose the validity and click Create private key.
Now optionally export generated certificate and key pair.
The exported ZIP contains the generated private key used to encrypt communication. Handle the file with care and store it at a safe location.
Alternative 2 - import certificate and key pair
Step 3 - Deploy to components
This dialog box shows the result of deploying the key pair to all currently connected tiers. This is not enabled if you do not operate a Memory Analysis Server.
Step 4 - Select components to restart
AppMon Server and Memory Analysis Server (if applicable) always need to be restarted immediately.
Depending on your environment this may take a few minutes to complete.
Check the Collectors check box to restart all currently connected ones now ‐ or postpone it to later.
After the deployment has finished you can verify usage by navigating to the Certificate Overview horizontal tab. In the case the collectors were not restarted, the newly deployed private key is not applied until a manual restart triggers.