Sign extension

Each extension uploaded to a Dynatrace environment must be signed so that Dynatrace can verify the authenticity and integrity of the extension.

Alternative command-line tool

The Dynatrace CLI (dt-cli) is a command-line utility that assists you in developing, signing, and building extensions for the Dynatrace Extensions 2.0 framework.

This utility, which is still in the early stages of development and is evolving quickly, now enables you to:

  • Build and sign extensions from source
  • Generate development certificates for extension signing
  • Generate CA certificates for development

For details, see dt-cli on GitHub.

We encourage you to try signing and building your extension with dt-cli, but you can instead follow the manual procedure below if you prefer.

To sign your extension manually, use OpenSSL. For Windows, you need to download and install an OpenSSL binary of your choice. We tested the procedure with OpenSSL 1.1.1k.

Create the root key and certificate

Your company should issue developer certificates from a company-wide root certificate. When developers sign their extensions with their own developer certificates, Dynatrace will be able to verify the extension authenticity against your root certificate stored in the Dynatrace credential vault and on the hosts where extensions are executed.

Run the following commands to generate your organization's root certificate. Do not set the password. Password-protected certificates are not supported by Dynatrace.

openssl genrsa -out root.key 2048
openssl req -days 10000 -new -x509 -key root.key -out root.pem
openssl rsa -in root.key -pubout -out root.pub.key

This generates your root.pem root certificate.

Note that you can also use an existing root certificate to generate developer certificates. Dynatrace accepts only PFX, P12, and PEM formats, so you may need to convert the existing certificate to one of the allowed formats. Refer to the OpenSSL documentation for conversion instructions.

Add your root certificate to the Dynatrace credential vault

  1. From the navigation menu, select Settings > Web and mobile monitoring > Credential vault.
  2. Select Add new credential.
  3. For Credential type, select Public Certificate.
  4. Add a meaningful Credential name.
  5. Upload the Root certificate file.
  6. Select Save.

Upload your root certificate

The host running your extension needs your root certificate to verify the authenticity of the extension.

Remote extensions

Upload your root certificate to each ActiveGate host within the ActiveGate group selected for running your extensions

Save the root.pem certificate file in the following location:

  • Linux:
    <CONFIG>/remotepluginmodule/agent/conf/certificates/ (default: /var/lib/dynatrace/remotepluginmodule/agent/conf/certificates/)
  • Windows:
    %PROGRAMDATA%\dynatrace\remotepluginmodule\agent\conf\certificates

Local extensions

Upload your root certificate to each OneAgent host or each OneAgent host within the host group selected for running your extensions

Save the root.pem certificate file in the following location:

  • Linux:
    /var/lib/dynatrace/oneagent/agent/config/certificates
  • Windows:
    %PROGRAMDATA%\dynatrace\oneagent\agent\config\certificates

Create a developer certificate

To create your developer certificate, you need to create a developer certificate signing request and then issue the certificate.

Create a developer certificate signing request

Run the following commands to generate the certificate signing request (CSR) to the root CA:

openssl genrsa -out developer.key 2048
openssl rsa -in developer.key -pubout -out developer.pub.key
openssl req -new -key developer.key -out developer.csr

When filling in the fields for the Distinguished Name (DN), make sure that at least one of the fields is different than the DN you defined for the root certificate.

The result is the developer.csr CSR that you'll use to issue the developer certificate from the root certificate.

Issue a developer certificate

Run the following command to generate the developer certificate:

openssl x509 -req -days 10000 -in developer.csr -CA root.pem -CAkey root.key -CAcreateserial -out developer.pem

The result is the developer.pem certificate file that you'll use for signing your extensions.

Sign your extension

With the developer certificate in place, use the following command to sign your extension. Make sure that your extension.zip file is in the directory from which you run the command.

openssl cms -sign -signer developer.pem -inkey developer.key -binary -in extension.zip -outform PEM -out extension.zip.sig

The result is an extension.zip.sig signature file.

Verify signature

Use the following command to verify the extension.zip.sig signature file against the root.pem root certificate:

openssl cms -verify -CAfile root.pem -in extension.zip.sig -binary -content extension.zip -inform PEM -out -noout

The output should contain the phrase Verfication successful.

Create extension package

For the final step, create an extension package containing only the extension.zip archive and the extension.zip.sig signature file.

my-custom-extension.zip
|    extension.zip
|    extension.zip.sig

You can now upload the extension package to your Dynatrace environment. For more information, see Manage Extensions 2.0 lifecycle.