Sign extensions
- How-to guide
- 2-min read
- Published Apr 21, 2021
Each extension uploaded to a Dynatrace environment must be signed so that Dynatrace can verify the authenticity and integrity of the extension. After you've signed your extension, each host running your extension, whether OneAgent or ActiveGate, needs to have the root certificate saved in a dedicated directory.
- In a development environment, each developer should have a unique leaf certificate. This ensures the traceability of changes.
- In a production environment, each extension must be signed with its own leaf certificate. This guarantees the authenticity of each extension.
Sign your extension
Depending on your needs, choose one of the following methods to sign and build your extension:
dt-extensions-sdk - an all-in-one CLI tool recommended- VSCode Extension - an all-in-one editor-based tool recommended
- Use OpenSSL - a standard crypto library for manual control
You can also use the Dynatrace CLI (dt-cli) to sign your extension. Since its features are fully contained within dt-extensions-sdk CLI, only use it as a lighter alternative for CI/CD environments.
Read more about dt-cli on GitHub.
Upload your root certificate
Each host running your extension, whether OneAgent or ActiveGate, needs to have the root certificate saved in a dedicated directory. This step is required to enhance the security of the Extensions framework.
By doing this:
- You verify the authenticity of distributed extensions
- You prevent potential malicious extension distribution by an intruder who could take control of your environment
For JMX extensions, you only need to place the certificate on the Dynatrace cluster.
Remote extensions
Upload your root certificate to each ActiveGate host within the ActiveGate group selected for running your extensions
Save the root.pem certificate file in the following location:
- Linux:
<CONFIG>/remotepluginmodule/agent/conf/certificates/(default:/var/lib/dynatrace/remotepluginmodule/agent/conf/certificates/) - Windows:
%PROGRAMDATA%\dynatrace\remotepluginmodule\agent\conf\certificates
Local extensions
Upload your root certificate to each OneAgent host or each OneAgent host within the host group selected for running your extensions.
Save the root.pem certificate file in the following location:
- Linux:
/var/lib/dynatrace/oneagent/agent/config/certificates - Windows:
%PROGRAMDATA%\dynatrace\oneagent\agent\config\certificates
Extensions