topic Re: EF2 extensions: More than one root CA in root.pem? in Extensions

EF2 extensions: More than one root CA in root.pem?

AntonioSousa — Sun, 20 Oct 2024 20:08:56 GMT

When developing custom extensions, we have to upload the root cert CA to the root.pem file, in your AG, according to:
https://docs.dynatrace.com/docs/extend-dynatrace/extensions20/sign-extension

Has anyone experienced or had the need to have more than one root CA, for two set of developers. Do these files and Dynatrace support multiple root CAs in the file?

Re: EF2 extensions: More than one root CA in root.pem?

Julius_Loman — Sun, 20 Oct 2024 20:13:34 GMT

Use a single CA and generate certificates for individual developers. You upload the root CA cert only to Environment/AG/OA. But you will have you generate the certs manually (do not autogenerate it in vscode).

Re: EF2 extensions: More than one root CA in root.pem?

Mike_L — Sun, 20 Oct 2024 20:20:21 GMT

As long as you name the files differently, you can have several certificates in the folder. That being said, I recommend to do what Julius said though for simplicity’s sake when you onboard new developers.

Re: EF2 extensions: More than one root CA in root.pem?

AntonioSousa — Sun, 20 Oct 2024 20:50:55 GMT

@Mike_L,

Does that mean that I can have a root.pem, root1.pem, etc in the same directory?

BTW, the use case is a client where two Organizations are developing, both us & the client. And I also can see eventually other custom extensions in the future

Re: EF2 extensions: More than one root CA in root.pem?

Mike_L — Sun, 20 Oct 2024 21:15:48 GMT

We load in any certificate in that folder, no matter the name.

Re: EF2 extensions: More than one root CA in root.pem?

jonhaugen — Mon, 21 Oct 2024 09:23:19 GMT

Hi Antonio,

You can have several root certificates uploaded in the certificate folder, however that may defeat the benefits of signing extensions in the first place.

If you want to ensure that only your trusted developers are able to upload extensions, please consider the following:

Code signing certificate issued by your domain admins to each of your developers.
Use a single CA so the certificates issued to the developers are valid.
Optional to use Intermediate certificates and upload the chain to OA. The benefits here are to create structures for what systems the developers can deploy extensions to.

Detailed sketch on how Extensions 2.0 are validated and ran.

Workflow

Example on how additional security is being added to different systems using several intermediate CA's in a domain. Please ignore "script 2" in the sketch, as an extension cannot be signed by multiple signers (yet)

Additional security

Let me know if the figures attached will help you determine what the best course of action will be for your environment.

Good luck!