When you upload a signed TLS certificate on your AppDynamics Controller, the Controller validates the certificate. If the certificate does not conform to the upload requirements, you see an error and the upload fails. This document explains the errors that you might encounter and how to resolve them.

Error: Certificate information does not match the CSR

When you generate a certificate signing request (CSR), AppDynamics creates a public-private key pair. The private key resides with AppDynamics in a secure key store. The public key is available with the CSR. You need to get the same CSR signed by a Certificate Authority (CA) of your choice to get the signed TLS certificate. For mutual TLS to work, you must upload the signed TLS certificate to your AppDynamics Controller. When you upload a TLS certificate that is signed using a different CSR, the public-private key pair mismatches and AppDynamics Controller displays an error.

Resolution:

You must upload a signed TLS certificate that is signed with the same CSR so that the public-private key pair matches.

Error: Only client certificates are supported

In the mutual TLS authentication, AppDynamics Controller acts as a client and the endpoint to send the alerts acts as a server. Therefore, when you upload a signed TLS certificate, AppDynamics Controller checks whether the certificate is a client certificate. If you upload a server certificate, you get this error.

Resolution:

From Alert & Respond > Mutual TLS Configuration, download an used CSR or generate a CSR and get it signed by a CA. Then upload the signed TLS certificate.

Error: Only Base 64-encoded certificates are supported

AppDynamics Controller supports only the Base64-encoded certificates for mutual TLS authentication. Base64 is the industry standard format for encoding the SSL certificate content. The following example shows a Base64-encoded certificate, where the content is enclosed within BEGIN CERTIFICATE and END CERTIFICATE clause:


-----BEGIN CERTIFICATE-----
MIIB0TCCATqgAwIBAgIQUq+2SdEkLr5K6xqjSEvRsDANBgkqhkiG9w0BAQUFADAU
MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTIwODA0MDA0OTEyWhcNMTcwODA0MDAw
MDAwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
...
Y2nd44bYEpmaBy7XJ5UIGEkuD3VIxT2S+2bCwkRR+9/+7vggR2q7l7YEktM2mFBI
yqOMOroAw+5cdc06c/B7UimwKFczsyhi9LUIr3rXI42FdXBHWw==
-----END CERTIFICATE-----
CODE

If you upload a signed TLS certificate that is not Base64-encoded, you get this error.

Resolution:

Copy and upload the Base64 encoded text along with the BEGIN CERTIFICATE and END CERTIFICATE clauses from the TLS certificate.

Error: The certificate has expired

The signed TLS certificate has an expiry date specified by the applicant or the CA. If you upload a TLS certificate that has already expired, you get this error.

Resolution

From Alert & Respond > Mutual TLS Configuration, generate a CSR and get it signed by a CA. Then upload the signed TLS certificate.

Error: Certificate chain is not valid.

The certificate chain must have a leaf certificate and intermediate certificates. The first certificate must be the leaf certificate and the subsequent certificates must be the intermediate certificates. Each certificate must be signed by the subsequent certificate. If you upload a certificate chain where this order is missing, you get this error.

Resolution

Upload a valid certificate chain that contains the certificates in the correct sequence.

Error: Certificate chain depth cannot be more than the limit.

The maximum length of the certificate chain that you can use depends on the value in the flag appdynamics.controller.alerting.mtls.max.certificate.chain.length. This flag resides in the Controller Settings page. By default, the flag value is two. If the length of your uploaded certificate chain is more than specified value, you get this error.

Resolution

Upload the certificate chain whose length is within the value specified in the flag appdynamics.controller.alerting.mtls.max.certificate.chain.length. However, you can update the value of the flag. See Controller Setting for Certificate Chain Length.