Sign extensions

  • How-to guide
  • 2-min read
  • Published Apr 21, 2021

Each extension uploaded to a Dynatrace environment must be signed so that Dynatrace can verify the authenticity and integrity of the extension. After you've signed your extension, each host running your extension, whether OneAgent or ActiveGate, needs to have the root certificate saved in a dedicated directory.

  • In a development environment, each developer should have a unique leaf certificate. This ensures the traceability of changes.
  • In a production environment, each extension must be signed with its own leaf certificate. This guarantees the authenticity of each extension.

Sign your extension

Depending on your needs, choose one of the following methods to sign and build your extension:

Dynatrace CLI

You can also use the Dynatrace CLI (dt-cli) to sign your extension. Since its features are fully contained within dt-extensions-sdk CLI, only use it as a lighter alternative for CI/CD environments.

Read more about dt-cli on GitHub.

Upload your root certificate

Each host running your extension, whether OneAgent or ActiveGate, needs to have the root certificate saved in a dedicated directory. This step is required to enhance the security of the Extensions framework.

By doing this:

  • You verify the authenticity of distributed extensions
  • You prevent potential malicious extension distribution by an intruder who could take control of your environment

For JMX extensions, you only need to place the certificate on the Dynatrace cluster.

Remote extensions

Upload your root certificate to each ActiveGate host within the ActiveGate group selected for running your extensions

Save the root.pem certificate file in the following location:

  • Linux:
    <CONFIG>/remotepluginmodule/agent/conf/certificates/ (default: /var/lib/dynatrace/remotepluginmodule/agent/conf/certificates/)
  • Windows:
    %PROGRAMDATA%\dynatrace\remotepluginmodule\agent\conf\certificates

Local extensions

Upload your root certificate to each OneAgent host or each OneAgent host within the host group selected for running your extensions.

Save the root.pem certificate file in the following location:

  • Linux:
    /var/lib/dynatrace/oneagent/agent/config/certificates
  • Windows:
    %PROGRAMDATA%\dynatrace\oneagent\agent\config\certificates
Related tags
ExtensionsExtensions