Create a Certificate and Generate a CSR

If you don't have a certificate to use for the Controller, create it as follows.

Splunk AppDynamics On-Premises requires using a X.509 digital certificate, which works with any file type.

In these steps, you generate a new certificate within the Controller's active keystore, so it has immediate effect.

The steps are intended to be used in a staging environment, and require the Controller to be shut down and restarted. Alternatively, you can generate the key as described here but in a temporary keystore rather than the Controller's active keystore. After the certificate is signed, you can import the key from the temporary keystore to the Controller's keystore.

  1. At a command prompt, change directories to the following location:
    <Controller_home>/appserver/jetty/etc
  2. Create a backup of the keystore file. For example, on Linux, you can run:On Windows, you can use the copy command in a similar manner.
    cp keystore.jks keystore.jks.backup
  3. If it's still running, stop the Controller.
  4. Delete the existing certificate with the alias s1as from the keystore:
    keytool -delete -alias s1as -keystore keystore.jks
  5. Create a new key pair in the keystore using the following command. This command creates a key pair with a validity of 1825 days (5 years). Replace 1825 with the validity period appropriate for your environment, if desired.
    keytool -genkeypair -alias s1as -keyalg RSA -keystore keystore.jks -keysize 2048 -validity 1825
    Follow the on-screen instructions to configure the certificate. Note that:
    • For the first and last name, enter the domain name where the Controller is running, for example, controller.example.com.
    • Enter the default password for the key, changeit .

    This generates a self-signed certificate in the keystore. We'll generate a signing request for the certificate next. You can now restart the Controller and continue to use it. Since it still has a temporary self-signed certificate, browsers attempting to connect to the Controller UI will get a warning to the effect that its certificate could not be verified.

    See Change Keystore Password for information on changing the default password for the keystore and certificates.

  6. Generate a certificate signing request for the certificate you created as follows:
    keytool -certreq -alias s1as -keystore keystore.jks -file AppDynamics.csr
  7. Submit the certificate signing request file generated by the command (AppDynamics.csr in our example command) to your Certificate Authority of choice.When it's ready, the CA will return the signed certificate and any root and intermediary certificates required for the trust chain. The response from the Certificate Authority should include any special instructions for importing the certificate if needed. If the CA supplies the certificate in text format, just copy and paste the text into a text file.
  8. Import the signed certificate:This command assumes the certificate is located in a file named mycert.cer.
    keytool -import -trustcacerts -alias s1as -file mycert.cer -keystore keystore.jks
  9. If you get the error "Failed to establish chain from reply", install the issuing Certificate Authority's root and any intermediate certificates into the keystore. The root CA chain establishes the validity of the CA signature on your certificate. Although most common root CA chains are included in the bundled JVM's trust store, you may need to import additional root certificates, such as certificates belonging to a private CA. To do so:
    keytool -import -alias [Any_alias] -file <path_to_root_or_intermediate_cert> -keystore <Controller_home>/appserver/jetty/etc/cacerts.jks
When done importing the certificate chain, try importing the signed certificate again.