Change certificate for on-prem

If Customer wants to change or use their own certificate for on-prem, there is a possibility to set that.

As it is described in our documentation: https://www.instana.com/docs/self_hosted_instana/configuration/#replacing-existing-certificates

 

To replace existing certificates with other certificates, in the settings.hcl file update paths to your certificate files. Then the system must be updated by instana update -f /path/to/settings.hcl.

cert {
  crt = "/mnt/cert/tls.crt"
  key = "/mnt/cert/tls.key"
}
Make sure that the name and path are correct.
 
If the customer ends up to an issue, please check that the certificate and key are in the correct format.
You can simply check this with:
 
file certificate_name.crt
file key_name.crt
 
The output should be like this:
Screenshot_2020-12-21_at_09.32.37.png
 
 
We can check this by opening the certificate and the key file with cat or vi.
The certificate should always begin with:
-----BEGIN CERTIFICATE-----
and ends with:
-----END CERTIFICATE-----


The key should be the private one.

Note: Make sure that the customer has a private key as instana can’t work with the encrypted one.
-----BEGIN RSA PRIVATE KEY-----

and ends with:

-----END RSA PRIVATE KEY-----



If something is wrong with the certificate the error should be visible in logs:

2020-12-15 08:24:54,703 [main] ERROR c.i.b.c.d.InstanaDropwizardApplication - Unexpected error during application startup 
java.lang.IllegalStateException: /etc/instana_tls/acceptor.keystore is not a valid keystore
    at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
Have more questions? Submit a request

Comments