Solved: Lifecycle of CA.pem files in multi-developers context

AurelienGravier · ‎24 Jul 2024

Hello,

In a context where multiple developers are authorized to create and distribute custom Dynatrace V2 extensions in production, I have some questions about how the lifecycle of ca.pem files be managed on ActiveGates.

Ca.pem verification is done at each extension execution or only at the first execution ?

Can each developer overwrite the existing ca.pem with each new extension distribution without impacting other custom extensions ?

Or should each developer manage a rotation of the CA certificate at each new extension distribution, for example, ca_dev1.pem, ca_dev2.pem, ... ?

Thank you for the clarification.
Regards Aurélien.

Observability consultant - Dynatrace Associate/Pro/Services certified

Mike_L · ‎24 Jul 2024

I'd recommend that you provide leaf certificates for your developers and place the root certificate on the AG/OAs. That way you don't have to worry about different files per developer, or overwriting files.

If you quickly need to kill the extensions signed by one certificate you can add it to a certificate revocation list and the extensions signed with that certificate will be killed immediately.

Mike

AurelienGravier · ‎25 Jul 2024

Hello Mike,

As a partner, we work for multiple clients.

Some use enterprise certificates and have their own certification authority, but most are not able to do so.

Using the ca.pem generated from the Dynatrace VSCode integration is, in most cases, the chosen solution because it is the simplest.

In this context, how do you recommend we manage the ca.pem on the AG ?

Thank you for your feedback.
Regards

Observability consultant - Dynatrace Associate/Pro/Services certified

Mike_L · ‎25 Jul 2024

In that case, rename it with the developer alias or so in there.

Mike