APM Server certificate authenticationedit
By default, when using HTTPS to communicate with APM Server, the agents will verify the identity of the APM Server by authenticating its certificate.
It is not recommended to change this default, however it is possible through the
If the certificate used by the APM Server is self-signed, you would need to add the same certificate (or the root certificate of the custom CA that signed it) to the JVM’s truststore.
You can find which truststore is used by setting
in the command line.
Typically, it would be
For example, you can use
keytool to import a certificate into the truststore:
keytool -import -alias apm-server-cert -file /path/to/certificate.crt -keystore /path/to/truststore
Agent certificate authenticationedit
If SSL client authentication is enabled on the APM server, the agent will be required to send a proper certificate as part of the HTTPS handshake. There is currently no configuration on the Java agent that supports that and no one straightforward option to do that that is suitable for all cases. Generally speaking, the agent will send a certificate from the JVM keystore. So, if your JVM does not use a keystore already, add the certificate file and the corresponding private key into a keystore and configure your JVM to use it:
-Djavax.net.ssl.keyStore=keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=<password>