I'm trying to configure the DX SaaS Cloud proxy to use my existing EM certificates & JKS. Need help on proper setup or conversion from EM Java KeyStore to this setup:

– apm.server.keyCertChainFile
Input a path to an X.509 certificate file in PEM format.
– apm.server.keyFile
Input a path to a PKCS#8 private key file in PEM format

My current certificate files are based on PKCS#7, so not sure if this an issue. I have access to these files:

.crt – the default certificate format returned when using the Sectigo email retrieval link for “x509 Certificate Only; Base 64 encoded” certificate. Most applications use this.

.cer – The format Used by most servers (Web, Application) in order to validate or verify their identity.

.pem – Created by using OpenSSL to change the extension from .crt to .pem. The format needed to construct a .pfx file. For private key installation on a server.

PKCS12 (.pfx) – Also known as the PFX or p12 File. Created when you combine the Certificate Authority (Sectigo) Chained Pem, your certificate (in .pem format) and the private key (.key file) in a single, encrypted file.

Chained .pem – Contains the Certificate Authority (Sectigo) public root and intermediate certificates. Needed to create a .pfx file.

PKCS7 – only stores x.509 certificate, does not include Private Key

I currently have configured:

# SSL Configuration
# If true, then the secure server will generate a self-signed certificate on startup. (default: true)
apm.server.useSelfSignedCert: false

# A X.509 certificate chain file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.
apm.server.keyCertChainFile: /opt/ca/cloudproxy/config/Certificates/abc.cer

# A PKCS#8 private key file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.
apm.server.keyFile: /opt/ca/cloudproxy/config/Certificates/abc.pem
#apm.server.keyFile: /opt/ca/cloudproxy/config/Certificates/NEW_APM.pem

# Protocols enabled for encrypted connections
apm.server.secureProtocols: TLSv1.2

Release : SAAS

Component : Integration with APM

To generate the self signed certificate:

myhost=$(hostname -f)

openssl req -x509 -subj "/CN=$myhost" -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650

openssl pkcs8 -topk8 -inform PEM -outform PEM -in key.pem -out key-pkcs8.pem -nocrypt

keytool -importcert -keystore trust.jks -storepass changeit -file cert.pem

2) Use the properties in application.yml in cloud proxy:

apm.server.useSelfSignedCert: false
# A X.509 certificate chain file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.
apm.server.keyCertChainFile: /root/cloudproxy/cert.pem
# A PKCS#8 private key file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.
apm.server.keyFile: /root/cloudproxy/key-pkcs8.pem

3) Copy the cert.pem to the .NET agent machine and configure the IntroscopeAgent.profile with https connection details to cloud proxy.

4) Add the following properties:

agentManager.ssl.certPolicy=Accept

transport.tcp.keystore.1=<path to the pem file>

transport.tcp.keypassword.1=changeit

5) restart the application ( iisreset)