This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Lifecycle of CA.pem files in multi-developers context

Go to solution
AurelienGravier
DynaMight Champion
DynaMight Champion

‎24 Jul 2024 01:13 PM

Hello,

 

In a context where multiple developers are authorized to create and distribute custom Dynatrace V2 extensions in production, I have some questions about how the lifecycle of ca.pem files be managed on ActiveGates.

Ca.pem verification is done at each extension execution or only at the first execution ?

Can each developer overwrite the existing ca.pem with each new extension distribution without impacting other custom extensions ?

Or should each developer manage a rotation of the CA certificate at each new extension distribution, for example, ca_dev1.pem, ca_dev2.pem, ... ?

Thank you for the clarification.
Regards Aurélien.

Observability consultant - Dynatrace Associate/Pro/Services certified
Labels:
0 Kudos
Reply
3 REPLIES 3

Go to solution
Mike_L
Dynatrace Guru
Dynatrace Guru

‎24 Jul 2024 01:50 PM

I'd recommend that you provide leaf certificates for your developers and place the root certificate on the AG/OAs. That way you don't have to worry about different files per developer, or overwriting files.

If you quickly need to kill the extensions signed by one certificate you can add it to a certificate revocation list and the extensions signed with that certificate will be killed immediately.

Mike
Reply

Go to solution
AurelienGravier
DynaMight Champion
DynaMight Champion
In response to Mike_L

‎25 Jul 2024 07:36 AM

Hello Mike,

As a partner, we work for multiple clients.

Some use enterprise certificates and have their own certification authority, but most are not able to do so.

Using the ca.pem generated from the Dynatrace VSCode integration is, in most cases, the chosen solution because it is the simplest.

 

In this context, how do you recommend we manage the ca.pem on the AG ?

 

Thank you for your feedback.
Regards

Observability consultant - Dynatrace Associate/Pro/Services certified
0 Kudos
Reply

Go to solution
Mike_L
Dynatrace Guru
Dynatrace Guru
In response to AurelienGravier

‎25 Jul 2024 08:27 AM

In that case, rename it with the developer alias or so in there.

Mike
Reply
Ask a question

Featured Posts