OneAgent is shipped with trusted Dynatrace SSL certificates, which are used to verify that OneAgent connects successfully to Dynatrace Server or ActiveGate.
If your environment uses a proxy with a custom certificate (thereby requiring an update to the remote server's SSL certificate) or you have an Environment ActiveGate with its own custom certificate, you need to add additional certificates to OneAgent.
Identify the SSL certificate that your ActiveGate uses.
Obtain the CA certificate (along with any intermediate certificates if they are in place).
Save the CA certificates as custom.pem.
Place the custom.pem file in the appropriate directory based on your operating system:
Linux: /var/lib/dynatrace/oneagent/agent/customkeys
Windows: %PROGRAMDATA%\dynatrace\oneagent\agent\customkeys
Make sure the custom.pem file contains the ActiveGate's certificate along with any intermediate certificates as required.
Identify the SSL certificate that your proxy uses.
Obtain the CA certificate (along with any intermediate certificates if they are in place).
Save the CA certificates as custom-proxy.pem.
Place the custom-proxy.pem file in the appropriate directory based on your operating system:
Linux: /var/lib/dynatrace/oneagent/agent/customkeys
Windows: %PROGRAMDATA%\dynatrace\oneagent\agent\customkeys
Make sure the custom-proxy.pem file contains the proxy's certificate along with any intermediate certificates as required.
OneAgent only reads custom-proxy.pem if it has been explicitly configured to use a proxy. If no proxy is configured, the file is ignored entirely—it is not used as a general CA certificate store.
If your setup involves both an HTTPS proxy with a custom certificate and an Environment ActiveGate with its own custom certificate, you need to provide a custom.pem file and a custom-proxy.pem file.