Sign the CSR and Upload the Signed TLS Certificate

After downloading the CSR file, you must get it signed from a certificate authority (CA) of your choice. You can then upload the signed TLS certificate. Splunk AppDynamics Controller also supports certificate chain. A certificate chain consists of a leaf certificate and intermediate certificates.

Note: The intermediate certificate must be created by using the .ext file provided by your certificate authority.
  1. To upload the signed TLS certificate on your Splunk AppDynamics Controller, click Upload New Client Certificate.
  2. Upload the signed TLS certificate (.pem file) directly or copy and upload the Base64 encoded text from the TLS certificate.
    Note: If you have a certificate chain, upload only the leaf and intermediate certificates as a single .pem file. Or copy and upload the Base64 encoded text of the the leaf and intermediate certificates. Do not upload the root certificate.

    The following sample illustrates a certificate chain that consists of a leaf certificate and an intermediate certificate:

    
Certificate chain sample

-----BEGIN CERTIFICATE-----
MIIEGTCCAgGgAwIBAgIJAL5ibUhpLjFHMA0GCSqGSIb3DQEBCwUAMB0xCzAJBgNV
BAYTAklOMQ4wDAYDVQQDDAVJTlRFUjAeFw0yMzAzMjExMDMyMDdaFw0yNDAzMjAx
MDMyMDdaMFIxCTAHBgNVBAcTADEJMAcGA1UECBMAMQswCQYDVQQGEwJJTjEJMAcG
A1UECxMAMQkwBwYDVQQKEwAxFzAVBgNVBAMTDmxvY2FsaG9zdDo4MDgwMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweI7PCWPgGn0o2pN3vHuqaxfKFMD
aR1HuluhVxyUaWP4FHZXnW796Qmebpmt6YSmCTjrTVtt/M5Nds+39PDuj62F8duC
g/owQtN75MHdOTLm0c9x1r6o62pjmLPLlMJmCu28agI6uKJXYMXmz8CzKJaiBz/f
j4JZyVd/Yn9GPXD7Exhul3aJX75Un7DvQBATQYfBo6BmqQz3PfeFkag6p94MjBlY
x+qAL8KeamAwtYm2Qcp3QygU6I1KsDqFsd+UvaclrRRxaY4glfjxXUldZl9Ryk/P
JAiSSaZ54uSbD9qwbcLPop2EzOcLKbR7WcZsy+k9R54x/GRXsVBP35lruQIDAQAB
oycwJTAOBgNVHQ8BAf8EBAMCBJAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI
hvcNAQELBQADggIBABGlU4RGHCLzPvsxz+QMImQ6qNuN0CbetIaMhh+aaWnGVXNe
f2W1xfzo+xOvFhHMcgJJmOrkawJQmXlBF/0nDOFuW5AjKabB0pMkGdRsfLuCY3Bq
b8VYWh7K0XGwpk6kRmtGppWXVW0W3i6aHwyKiTuFRxDq3WWlzBeozkd1rbyrL0bL
kvGS6uRkWzuzNNULM5pd+qbTV32SPHPzHxJijQwbIJeenkDHmazg9v7eJHUZFuyY
rh77+2DgG4t7hwhaEhdFz4PFZ34NowWI9TzQ3y2L/xMHog2jSrz9xsG0YwhmXNY0
CYj9eMRAbDzsGkzOsB6doN0R6+TnXlbxs6HqEXHf1MVCRKG405lS+qdO8Si6ZvEN
ccNSktSOnHGIXWbYL8zPxbhAbdOQGqMwnZCOXnUjtXMg0mAE0Dr7RijS587m0PkX
1Xh1LyU3xXtwd26v+i9Srh1kwmcJpItlKPcVMtdYRILVz0jGpd/J2CDcRuvHtzB1
vHFqiUni9IWYYBhRsWZTFnh5qO1+yc9tWgx0k7fVPc4haslwTa9K6SDtBkfl7WGt
RoW8nGXBmTA4rn8Zdow14C8c/zkaZCb6/6qUZFIq//Stnu+gJEjxG7tO6JFfTp/j
/NvwyXpozI8FnKyFBTVTVCBDKPceI7Z7xRq7e95ARBT2dApXXisPmLW5bDP3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJALqp1BzVxWxiMA0GCSqGSIb3DQEBCwUAMBwxCzAJBgNV
BAYTAklOMQ0wCwYDVQQDDARyb290MB4XDTIzMDMyMTEwMjgxOVoXDTI0MDMyMDEw
MjgxOVowHTELMAkGA1UEBhMCSU4xDjAMBgNVBAMMBUlOVEVSMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEA0JZ/KXP4WyfYxLya5rMxTSVmHCVuWJeSYfsS
VoxOHGpksIE54Tv/g0fAjEgKbb/k6+dIwzVH5odKS/bkaQdc13HAPsSsGi0rl/ax
jK+iqhbBEXFqmyvF7hmBuA83j93dQCPTj7lYUcQxS7Kf6lh6hs+UFSLLDRBtI1ey
YbPnOljQ3jll0OdgH2MoeVXeKr/9+o2xtcXf1JfBVhMK0j8RRkNUfMn3lJJ8pUgu
6/ARfwA1esPYg4dNXUFT6CNtM8zqZuTMGdBND0yVXPagQ/KKJzBevrSvl5PIlLEV
nvwHEJtnc9sKUpK9SepAzvWdLAWhvsnaECo7tXosqF+tBHdv6J/XxhdYEjFngIz3
dJ3cqbXwzOtfEaGbCoNKsYsHiw92L/wFRE9RZIiLqBZIEOHzXXNi98s54jDU1YDR
A1Lc02Ie39vpvwiypfXEEUiuQOjbY8m4lcTiP+sahljFO3o9qoouoX4SV3YM3nSp
y1U+sSZB3mh8UCgPoPKoPl7e5JGPguMCO0NBR4hFeqREDYlcmg+50ZHaj6qUx7MD
hBi9B0p3w+fhgbyHdo0rDs75xja6M08PdHUs8Gu6D2+KLp5oyE1OaYGjcHwsdzlE
5+SJuUUD73s26JLlhDJ7EY/09pyVwnrx2PbWoeF3Tc5qX1mqBlk+1LImF6AQTb+c
1MSym3ECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAbIWhRxGN0KIQNwpn48FAXgiKeUWuNmPb+MqlifO0u/ko5Vh8xXQmUsrGCupI
W/lhRJSsAXI4B5Ss680pne55QLOY+6dXINnsObP5Xlz6PErugfYFIxddM8OEjn06
Qn/UhehtgBQlUbv34KSrdh1ylXIGLpS3YqeGWufTlMx1WJToVfnBbF6+QIiWjTSC
pt5nkHMph/oQcqTXJoxyzY6qwPx5+fYNuNDKvIJeWbR/NX/ukR/mMTb0kEFZfbaQ
OslSWnFEk15Wk6tZzMkiZlOqf/8qjYbwr5QgXVFUHCw4F5bQKdJIelMlzQrUrOxA
3GeUYyRbfeaE4l9De4geSrphAw==
-----END CERTIFICATE-----

    Points to consider:

    Before uploading a new TLS certificate, ensure the following points are met:
    • The certificate must be either in the .pem or .crt format.
    • The certificate encoding scheme must be Base64.
    • The certificate must have a valid expiry date.
    • The certificate must be a client certificate.
    • The certificate must match with the corresponding CSR.
    • For a certificate chain:
      • all the certificates must be uploaded by using a single .pem file.
      • the first certificate must be the leaf certificate and the subsequent certificates must be the intermediate certificates. Each certificate must be signed by the subsequent certificate.
      • the leaf certificate must be a client certificate.
      • the leaf certificate must have a valid expiry date.
      • the leaf certificate must match the corresponding CSR.
      • the length of the certificate chain must not be greater than the length specified in the flag appdynamics.controller.alerting.mtls.max.certificate.chain.length. See Controller Setting for Certificate Chain Length.
    If you face any error while uploading the signed TLS certificate, refer Troubleshoot Mutual TLS Certificate Issues.