Configure SSL certificate for a Cluster ActiveGate

Communication to a Cluster ActiveGate is only possible over encrypted SSL connections. For external communication, a Cluster ActiveGate requires a publicly available IP address and a domain name with a valid SSL certificate. This domain must be different from the Web UI domain.

Configuration possibilities for ActiveGate domain and SSL certificate

Initially, after installation, Cluster ActiveGate will use a self-signed certificate generated by Dynatrace. You can then define a public IP address for the ActiveGate, and you can allow Dynatrace to manage the domain and to generate a valid CA-signed SSL certificate on your behalf. Alternatively, you can provide your own domain name and certificate for the ActiveGate.

  • If you allow Dynatrace to manage the domain and generate SSL certificates, then each Cluster ActiveGate with a public IP address will get a dedicated web domain (subdomain of dynatrace-managed.com) and a trusted SSL certificate.
  • If you do not allow Dynatrace to generate SSL certificates for ActiveGates, the ActiveGate will continue to use the self-signed certificate, or a certificate uploaded by the user to the ActiveGate through the Cluster Management Console or using the Cluster REST API v1.
Do not configure the SSL certificate directly on the device

Do not attempt to configure SSL certificates directly to your Cluster ActiveGate, by uploading them to the device itself. If you do this, the certificate will be overwritten by automatic management performed by Dynatrace.
Upload your certificate using the Cluster Management Console or the Cluster REST API v1.

Configure Dynatrace to manage the domain and certificate for Cluster ActiveGate

If you want to allow Dynatrace to manage the domain and certificate, use the Cluster Management Console to configure the following settings:

  • Select the ActiveGate in Deployment status > ActiveGates and provide a publicly available IP address for the Cluster ActiveGate.
  • For the cluster node, in the Dynatrace menu, go to Settings > Public endpoints and make sure that the Enable management of domain name and SSL certificates option is enabled.

Configure your own domain name and certificate for Cluster ActiveGate

Before you begin

You need your SSL certificate and the key files you received from Certificate Authority (CA):

  • Server certificate (.cer or .cert)

  • Root and Intermediate certificates (.cer or .cert)

  • Private key for certificates (.pem)

    Encrypted private keys

    We don't support encrypted private keys. To decrypt an SSL private key, run the following command:
    openssl rsa -in encrypted.ssl.key -out decrypted.ssl.key

    where

    • encrypted.ssl.key is the filename of your encrypted SSL private key.
    • decrypted.ssl.key is the output file for your decrypted SSL private key.

    The command will prompt you for the password and save the decrypted key in the decrypted.ssl.key file.

Specify the domain and turn off automatic management of domain and certificates

To provide your own domain name and certificate, from the Cluster Management Console, select the cluster node and in the Dynatrace menu, go to Settings > Public endpoints. Then disable the Enable management of domain name and SSL certificates option.

Then provide your own domain name in the Cluster ActiveGate URL field.

Upload your trusted certificate

If you want to use your own certificate or a CA-issued certificate, upload or paste the certificate to Cluster ActiveGate, either through the Cluster Management Console or the Cluster REST API v1. The following steps show the procedure using the Cluster Management Console:

Sign in to Dynatrace Managed as an administrator.

On the Deployment status page, select the ActiveGate you want to configure.

On the page for the selected ActiveGate, select Edit SSL certificate.

You can either paste or upload the certificates.

  • Private key: your private key.
  • Public key certificate: your server certificate.
  • Certificate chain: your root and intermediate certificates.
Important

The key and certificates need to be in PEM format with the full BEGIN headers and END footers.

Key header and footer format:

-----BEGIN PRIVATE KEY-----
(Private Key)
-----END PRIVATE KEY-----

Certificate header and footer format:

-----BEGIN CERTIFICATE-----
(SSL Certificate)
-----END CERTIFICATE-----

Select Save to upload the certificates.

Avoid name-mismatch errors

Your certificate is associated with a specific host name. To avoid a name-mismatch error, make sure that the common name (domain name) in the SSL certificate matches the address you specified in the Cluster ActivGate URL field, in for the cluster node.