How do I add a certificate to the Dynatrace Server trust store?

There may be times when you need to manually add a certificate to the Dynatrace Server trust store, for example if Dynatrace Server refuses to accept a certificate when sending emails or webhook notifications. This typically happens when a self-signed certificate is used.

How to know when Dynatrace Server isn't accepting certificates

If Dynatrace Server is having trouble sending notifications, look for any files in the log directory of your Dynatrace Server installation that have the name pattern server.*.*.log.

If any files with this naming pattern exist in the log folder, search through those log files for the following entry:

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException

Log entries such as the example above indicate that the certificate provided by the notification receiver wasn't accepted by Dynatrace Server. The reason for this is usually that the certificate isn't trusted.

Add a custom certificate to the Dynatrace Server trust store

You can use the Java KeyTool to enter commands to create the KeyStore. Dynatrace redistributes Java Keytool as part of the JRE installed with Dynatrace Server. By default, this tool is available in <programfiles>\Dynatrace\gateway\jre\bin.

Open a command prompt and switch to the directory where the Java KeyTool is located.

Create the KeyStore for the custom certificate. See Generating a KeyStore and TrustStore for information on creating a Java KeyStore.

Export the custom certificate in CER format. For example, to export to a certificate that you want to name customcertificate.cer, specifying a password, and the alias, enter a command similar to the following:

keytool -export -storepass passwd -alias dynatracealias -keystore /usr/java/jre/lib/security/cacerts -file /tmp/customcertificate.cer

Locate the Dynatrace keystore file trusted.jks. This file contains the Dynatrace Server TrustStore and is typically located in <ProgramData>\dynatrace\gateway\ssl\customkeys. However, the path to the trusted.jks file and the TrustStore password are provided in the config.properties file, which is in <ProgramData>\dynatrace\gateway\config.

[com.compuware.apm.webserver]
communication-keystore = customkeys/trusted.jks
communication-storepasswd = <password>

Enter the import command to add customcertificate.cer to trusted.jks. The following example is based on the previous export command example and the location for trusted.jks.

keytool -import -file /tmp/customcertificate.cer -alias dynatracealias -keystore <ProgramData>/dynatrace/gateway/ssl/customkeys/trusted.jks

Restart Dynatrace Server.