Establish Trust for the Controller SSL Certificate

To establish trust between the Java Agent and the Controller, you must import the root certificate for the authority that signed the Controller's certificate into the agent truststore.
Note: If you secured your on-premises Controller with a self-signed certificate, see Keystore Certificate Extractor Utility for instructions to create the agent truststore.
  1. Obtain the root certificate for the authority that signed the certificate for the Controller:
    • For SaaS Controller deployments only: You can download the DigiCert root certificates from https://www.digicert.com/digicert-root-certificates.htm and the IdenTrust root certificate from https://www.identrust.com/identrust-commercial-root-ca-1.

      Ensure to include at least the following certificates:

      • DigiCert Global Root CA
      • DigiCert Global Root G2
      • DigiCert Global Root G3
      • IdenTrust Commercial Root CA 1
    • You must import only the Root CA Certificate into the Java SSL Trust Store because Host Certificates have a very short lifespan and change often. Trusting the Root CA Certificate ensures uninterrupted connectivity to the controller when the Host Certificate changes before expiry.
  2. Run the Java keytool command to import the root certificate.
    The command creates the keystore in the versioned agent configuration directory if it does not exist: 
    keytool -import -alias rootCA -file <root_certificate_file_name> -keystore <agent_home>/<version_number>/conf/cacerts.jks -storepass <truststore_password>
    For example: 
    keytool -import -alias ControllerRootCA -file /usr/home/appdynamics/DigicertGlobalRootCA.pem -keystore /usr/local/appagent/4.3.0.0/conf/cacerts.jks -storepass MySecurePassword
    Note: Make note of the truststore password, you need it to configure the Java Agent.