Configure SSL certificate for Cluster ActiveGate

How-to guide
2-min read

All communication to a Cluster ActiveGate is encrypted over SSL. For external communication, a Cluster ActiveGate requires a publicly available IP address and a domain name with a valid SSL certificate. This domain must be different from the Web UI domain.

As of April 17, 2025, Chinese regulations require an ICP (Internet Content Provider) certification for all publicly accessible services using the dynatrace-managed.com domain. Since Dynatrace does not hold an ICP certificate due to the lack of a legal entity in China, our domains have been blocked by the local network providers.

To maintain monitoring capabilities, we recommend the following:

Use internal DNS or IP addresses for Cluster ActiveGate endpoints.
Avoid exposing the Dynatrace UI or endpoints to public Chinese networks.

Certificate management options

After installation, a Cluster ActiveGate uses a self-signed certificate generated by Dynatrace. You have two options:

Let Dynatrace manage the domain and certificate — each Cluster ActiveGate with a public IP address receives a dedicated subdomain of dynatrace-managed.com with a trusted CA-signed SSL certificate.
Use your own domain and certificate — disable automatic management and upload your own certificate via the Cluster Management Console or the Cluster REST API v1.

Do not upload certificates directly to the device

Do not configure SSL certificates directly on the Cluster ActiveGate device. Any certificate uploaded this way will be overwritten by Dynatrace's automatic management.

Always upload your certificate using the Cluster Management Console or the Cluster REST API v1.

Let Dynatrace manage the domain and certificate

Log in to the Cluster Management Console.
Go to Deployment Status > ActiveGates, select the ActiveGate, and provide a publicly available IP address.
For the Cluster node, go to Settings > Public endpoints and enable Enable management of domain name and SSL certificates.

Use your own domain and certificate

Review requirements

Disable automatic certificate management

Upload your certificate

Review requirements

You need the SSL certificate and key files you received from your certificate authority (CA):

Server certificate (.cer or .cert)
Root and intermediate certificates (.cer or .cert)
Private key (.pem)

Encrypted private keys

Encrypted private keys are not supported. To decrypt an SSL private key, run:

openssl rsa -in encrypted.ssl.key -out decrypted.ssl.key

encrypted.ssl.key — your encrypted SSL private key file.
decrypted.ssl.key — the output file for the decrypted key.

The command prompts you for the password and saves the decrypted key.

Disable automatic certificate management

To disable automatic certificate management:

Log in to the Cluster Management Console.
Select the Cluster node and go to Settings > Public endpoints.
Disable Enable management of domain name and SSL certificates.
Enter your domain name in the Cluster ActiveGate URL field.

Upload your certificate

Upload or paste your certificate via the Cluster Management Console or the Cluster REST API v1. To use the Cluster Management Console:

Log in to the Cluster Management Console.
On the Deployment Status page, expand the ActiveGate you want to configure and select Configure.
Select Edit SSL certificate.
Paste or upload the key files you received from your CA.
- Private key: your private key.
- Public key certificate: your server certificate.
- Certificate chain: your root and intermediate certificates.
All keys and certificates must be in PEM format with full BEGIN and END headers.
Key format:
-----BEGIN PRIVATE KEY-----
(Private Key)
-----END PRIVATE KEY-----
Certificate format:
-----BEGIN CERTIFICATE-----
(SSL Certificate)
-----END CERTIFICATE-----
Select Save.

Name-mismatch error

Your certificate is tied to a specific hostname. To avoid a name-mismatch error, make sure the common name (CN) in the certificate matches the address specified in the Cluster ActiveGate URL field.