This topic applies to Dynatrace Managed installations only.
By default, we create a self-signed certificate during installation and set it up in your Dynatrace Managed Server. This means that your browser will display the following dialog each time you access Dynatrace Server:
To avoid seeing this warning, you can use a proper SSL certificate with Dynatrace Managed Server. You can pass the certificate during installation or at a later time.
What you need:
Your SSL certificate and the key files you received from Certificate Authority (CA):
- Server certificate (
- Root and Intermediate certificates (
- Private key for certificates (
Optionally, for command line installation:
- Dynatrace Managed installation script
- OpenSSL toolkit
Install certificate on Dynatrace Server
If you want to use your own certificate or a CA-issued certificate, upload or paste the certificate to Dynatrace Server. You can also set the host name associated with the certificate to be part of the Dynatrace Server configuration.
Upload certificate files
Log in to Dynatrace Server as an administrator.
On the Dynatrace Managed deployment status page, Select the cluster node that needs the new certificate.
On the Node Details page, click Edit SSL certificate.
You can paste or upload the key files you received from the CA authority.
When you paste the key, make sure to include the headers and footers in the text field.
Click Save to upload the certificates.
Your certificate is associated with a specific host name. To avoid a name-mismatch error, make sure that the common name (domain name) in the SSL certificate matches the address that is in the address bar of the browser.
Install certificate during installation
All you need to do is make a KeyStore file accessible to the Dynatrace Managed installation script.
You need to combine the server certificates and private key into a PKCS12 SSL KeyStore. Use OpenSSL to generate this. In the command line, make sure to use
dynatraceserver as the name value and
dynatrace as the pass value:
openssl pkcs12 ‐export ‐out <dynatrace‐keystore.pkcs12> ‐name dynatraceserver ‐password pass:dynatrace ‐in <server_certificate.cer> ‐certfile <root‐and‐intermediate‐certificates.cer> ‐inkey <private‐key‐for‐certificates.pem>
Note that to ensure that Dynatrace Managed Server recognizes the certificates correctly,
-name dynatraceserver -password pass:dynatrace can’t be changed.
If you intend to install your certificate during Dynatrace Managed Server installation or at a later time, you’ll need to keep the KeyStore on the machine.
During Dynatrace Managed Server installation you can use the –ssl-keystore parameter to point the installer to where the PKCS12 KeyStore is. The installer will then use the KeyStore instead of generating a self-signed certificate.
If you’re logged in as root and want to use /tmp/mycomp-ssl-cert.pkcs12 during installation, use the following command to install Dynatrace Managed Server and your CA issued certificate:
dynatrace‐managed‐installer.sh ‐‐install ‐‐ssl‐keystore /tmp/mycomp‐ssl‐cert.pkcs12 ‐‐license 1234abc567
Note that you need to provide the full path to the KeyStore file as the
--ssl-keystore parameter value.