A couple of questions off the back of the subject:
- how does DT manage out of date AG certificates? doe they auto renew? (We're using the default AG cert)
- Does Dynatrace have a certificate validity check during install of the AG?
Any further information on AG default certificates would be amazing, i can't seem to find much information in the official docs.
Solved! Go to Solution.
Yeah, we're not intending to use custom ssl certificates.
All i can see on the documentation is the following:
Connection to ActiveGate, from OneAgents or REST API, takes place over an encrypted HTTPS channel. ActiveGate presents a self-signed authentication certificate to all connecting clients. While OneAgent instances may ignore the validity of ActiveGate certificates (depending on configuration).
Yes, that's correct and default behaviour.
Dynatrace does not manage the certificates on ActiveGates, only provides you with methods to manage them. Either locally or also using API (preferred) or even certs can be setup during installation. By default, there is a self-signed certificate issued to *.clients.dynatrace.org with a 10 year validity.
OneAgents can be configured so they connect only to trusted AG (trusted in means of certificate) and it's not by default.
For outgoing connections, AG uses its truststore.
Hi @Julius_Loman ,
do you have any documentation about the OneAgent configuration? We want to use our own certificates and not the self-signed ones. It only says that an agent "may ignore" the validity depending on the configuration (Custom SSL certificate for ActiveGate | Dynatrace Docs). But I can't find anything about this configuration (Customize OneAgent installation on Linux | Dynatrace Docs).
In our company we use .pem files with the public keys on the agents, but I can't find any more information about that either.