Update to a Signed Certificate

You can update the built-in self-signed certificate created by the Enterprise Console with a CA signed certificate from an eligible CA authority.

Warning: If you want to reuse the existing public key from the Java keystore to generate a CSR request, you must import the signed certificates manually. See step 6 to 9 in Create a Certificate and Generate a CSR for more information.

Most Linux distributions include OpenSSL. If you are using Windows or your Linux distribution does not include OpenSSL, you may find more information on the OpenSSL website.

  1. Obtain a signed certificate:
    1. Create a csr request.
      //Some CAs will create everything for you, including the private key. You may use the following keytool command to create a csr request from existing keystore.jks.
keytool -certreq -alias ec-server -keystore keystore.jks -file AppDynamics.csr

      or

      //You can also use the following openssl command to create your own private key and csr request.
openssl req -new -newkey rsa:2048 -nodes -out <name of csr request file>.csr -keyout <name of private key>.key -subj "/C=<custom>/ST=<custom>/L=<custom>/O=<custom>/OU=<custom>/CN=<hostname>"
    2. Submit the certificate signing request file generated by the command (AppDynamics.csr in our example command) to your Certificate Authority of choice. When it's ready, the CA will return the signed certificate and any root and intermediate certificates required for the trust chain. The response from the Certificate Authority should include any special instructions for importing the certificate, if needed. If the CA supplies the certificate in text format, just copy and paste the text into a text file.
  2. Run the Enterprise Console update certificate CLI command:
    ./platform-admin.sh update-certificate --private-key <privateKeyfile> --ssl-cert <sslCertFile> --ssl-chain <sslChainfile1> <sslChainfile2> ...
    Warning:

    Refer to the following help points when running this command:

    • The privateKeyfile, sslCertFile, and ssl-chain files do not have any file format restrictions. Any file format, such as .pkey and .txt, should work, as long as it is readable.
    • The privateKeyfile file content must follow the PKCS8 format.
    • sslCertFile is your SSL certificate file.
    • ssl-chain files are additional certificates, such as intermediate certificates. These are optional, and you may provide as many of them as you would like.
    This command updates the certificate in the keystore and truststore in the configuration yml file.
  3. Restart the Enterprise Console for the new SSL configurations to take effect.