Sign extension

Each extension uploaded to a Dynatrace environment must be signed so that Dynatrace can verify the authenticity of the extension. Use OpenSSL to sign your extension. For Windows, you need to download and install an OpenSSL binary of your choice.

Create the root key and certificate

Your company developers will issue their own certificates from your company root certificate. When developers sign their extensions with their own developer certificates, Dynatrace will be able to verify the extension authenticity against your root certificate stored in the Dynatrace credential vault.

Run the following commands to generate your organization's root certificate. Do not set the password. Password-protected certificates are not supported by Dynatrace.

openssl genrsa -out ca_one.key 2048
openssl req -days 10000 -new -x509 -key ca_one.key -out ca_one.crt
openssl rsa -in ca_one.key -pubout -out ca_one.pub.key

This generates your ca_one.crt root certificates. Dynatrace accepts only PFX, P12, and PEM formats, so you need to convert the CRT certificate to one of the allowed formats. For example:

openssl pkcs12 -export -in ca_one.crt -nokeys -passout pass: -out ca_one.p12

Add your root certificate to the Dynatrace credential vault

  1. From the navigation menu, select Settings > Web and mobile monitoring > Credential vault.
  2. Select Add new credential.
  3. For Credential type, select Public Certificate.
  4. Add a meaningful Credential name.
  5. Upload the Certificate file.
  6. Select Save.

Upload your root certificate to an ActiveGate group running your extension

After you convert your root certificate to PFX, P12, or PEM, upload it to all the ActiveGates in a group you'll use to run your extension.

Save the certificate in the following location:

  • Linux:
    <CONFIG>/remotepluginmodule/agent/conf/certificates/ (default: /var/lib/dynatrace/remotepluginmodule/agent/conf/certificates/)
  • Windows:
    %PROGRAMDATA%\dynatrace\remotepluginmodule\agent\conf\certificates

Create a developer certificate signing request

Run the following commands to generate the certificate signing request (CSR) to the root CA:

openssl genrsa -out developer.key 2048
openssl rsa -in developer.key -pubout -out developer.pub.key
openssl req -new -key developer.key -out developer.csr

When filling in the fields for the Distinguished Name (DN), make sure that at least one of the fields is different than the DN you defined for the root certificate.

The result is the developer.csr CSR that you'll use to issue the developer certificate from the root certificate.

Create developer certificate

Run the following command to generate the developer certificate:

openssl x509 -req -days 10000 -in developer.csr -CA ca_one.crt -CAkey ca_one.key -CAcreateserial -out developer.crt

The result is the developer.crt you'll use for signing your extensions.

Sign extension

Finally, use the following command to sign your extension. Make sure that your extension.zip file is in the directory from which you run the command.

openssl cms -sign -signer developer.crt -inkey developer.key -binary -in extension.zip -outform PEM -out extension.zip.sig

The result is an extension.zip.sig signature file. Compress it together with the extension ZIP archive and give it any name.