Install your own SSL certificate updated on Mon, 08 Apr 2019 13:05:46 +0200

Mon, 08 Apr 2019 13:05:46 +0200

The Dynatrace UI is only accessible over encrypted HTTPS connections. To ensure secure access and avoid browser warnings, you must configure a valid SSL certificate. Dynatrace can manage this for you automatically—each cluster gets a dedicated web domain (subdomain of dynatrace-managed.com) and a trusted SSL certificate. You can use this domain to access the Dynatrace UI without receiving browser warnings.

If you don't want Dynatrace to create the domain and SSL certificate for you, go to Settings > Preferences in the Cluster Management Console and disable the Manage domain name and SSL certificates option. Dynatrace will then use a self-signed SSL certificate. Self-signed certificates aren't trusted by default—the first time you attempt to connect to Dynatrace Managed you'll receive a security warning. Confirm this exception within your browser security settings.

If you want to use your own trusted SSL certificate, after disabling automatic management, follow the instructions below.

Before you begin

You'll need:

Your SSL certificate and the key files you received from Certificate Authority (CA):
- Server certificate (.cer or .cert)
- Root and Intermediate certificates (.cer or .cert)
- Private key for certificates (.pem)
  
  Encrypted private keys
  We don't support encrypted private keys. To decrypt an SSL private key, run the following command:
  openssl rsa -in encrypted.ssl.key -out decrypted.ssl.key
  
  Replace encrypted.ssl.key with the filename of your encrypted SSL private key and decrypted.ssl.key with the output file for your decrypted SSL private key. The command will prompt you for the password and save the decrypted key in the file decrypted.ssl.key.
Optionally, for command line installation:
- Dynatrace Managed installation script
- OpenSSL toolkit

Install your trusted certificate on Dynatrace Server

If you want to use your own certificate or a CA-issued certificate, upload or paste the certificate to Dynatrace Server. You can also set the host name associated with the certificate to be part of the Dynatrace Server configuration.

Log into Dynatrace Server as an administrator.

On the Dynatrace Managed deployment status page, select the cluster node that needs the new certificate.

On the Node Details page, click Edit SSL certificate.

You can paste or upload the key files you received from the CA authority.

Your Private key in the Private key box.
Your Server certificate in the Public key certificate box.
Your Root and Intermediate certificates in the Certificate chain box.

When you paste the key, make sure to include the headers and footers in the text field.

Click Save to upload the certificates.

Name-mismatch error

Your certificate is associated with a specific host name. To avoid a name-mismatch error, make sure that the common name (domain name) in the SSL certificate matches the address that is in the address bar of the browser.

Install certificate during Dynatrace Managed installation

All you need to do is make a KeyStore file accessible to the Dynatrace Managed installation script.

During Dynatrace Managed installation, you can use the --ssl-keystore parameter to point the installer to where the PKCS12 KeyStore is. The installer will then use the KeyStore instead of generating a self-signed certificate.

How do I prepare the KeyStore?

You need to combine the server certificates and private key into a PKCS12 SSL KeyStore. Use OpenSSL to generate this. In the command line, make sure to use dynatraceserver as the name value and dynatrace as the pass value:

openssl pkcs12 -export -out <dynatrace-keystore.pkcs12> -name dynatraceserver -password pass:dynatrace -in <server_certificate.cer> -certfile <root-and-intermediate-certificates.cer> -inkey <private-key-for-certificates.pem>

Note that to ensure that Dynatrace Server recognizes the certificates correctly, -name dynatraceserver -password pass:dynatrace can't be changed.

If you intend to install your certificate during Dynatrace Managed installation or at a later time, you'll need to keep the KeyStore on the machine.

Example

If you're logged in as root and want to use /tmp/mycomp-ssl-cert.pkcs12 during installation, use the following command to install Dynatrace Managed and your CA issued certificate:

dynatrace-managed-installer.sh --install --ssl-keystore /tmp/mycomp-ssl-cert.pkcs12 --license 1234abc567

Note that you need to provide the full path to the KeyStore file as the --ssl-keystore parameter value.