cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EF2 extensions: More than one root CA in root.pem?

AntonioSousa
DynaMight Guru
DynaMight Guru

When developing custom extensions, we have to upload the root cert CA to the root.pem file, in your AG, according to:
https://docs.dynatrace.com/docs/extend-dynatrace/extensions20/sign-extension

Has anyone experienced or had the need to have more than one root CA, for two set of developers. Do these files and Dynatrace support multiple root CAs in the file?

 

 

Antonio Sousa
5 REPLIES 5

Julius_Loman
DynaMight Legend
DynaMight Legend

Use a single CA and generate certificates for individual developers. You upload the root CA cert only to Environment/AG/OA. But you will have you generate the certs manually (do not autogenerate it in vscode).

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

As long as you name the files differently, you can have several certificates in the folder. That being said, I recommend to do what Julius said though for simplicity’s sake when you onboard new developers.

Mike

@Mike_L,

Does that mean that I can have a root.pem, root1.pem, etc in the same directory?

BTW, the use case is a client where two Organizations are developing, both us & the client. And I also can see eventually other custom extensions in the future :dynaspin:

Antonio Sousa

We load in any certificate in that folder, no matter the name. 

Mike

Hi Antonio, 

You can have several root certificates uploaded in the certificate folder, however that may defeat the benefits of signing extensions in the first place. 

 

If you want to ensure that only your trusted developers are able to upload extensions, please consider the following: 

 

  • Code signing certificate issued by your domain admins to each of your developers.
  • Use a single CA so the certificates issued to the developers are valid.
  • Optional to use Intermediate certificates and upload the chain to OA. The benefits here are to create structures for what systems the developers can deploy extensions to. 

Detailed sketch on how Extensions 2.0 are validated and ran. 

WorkflowWorkflow

Example on how additional security is being added to different systems using several intermediate CA's in a domain. Please ignore "script 2" in the sketch, as an extension cannot be signed by multiple signers (yet)

Additional securityAdditional security

Let me know if the figures attached will help you determine what the best course of action will be for your environment.

Good luck!

 

Intility - Dynatrace Professional

Featured Posts