Configuring your SSL certificates

To communicate with the New Relic collector over HTTPS, you need to have the proper certificates for trusted signers in the trust store on your app server. By default, most JREs contain a valid root certificate that allows the agent to connect to However, starting in 6.1.0, for applications which use a custom trust store, the Java agent will use a bundled certificate that is valid for up to a year after release and must either update to the latest agent version or provide a valid certificate using the ca_bundle_path configuration before expiration.

The Java agent will begin logging a warning message upon application startup when there are less than three months before the bundled certificate expires.

For Java agent versions prior to 6.0.0, applications that require valid certificates may add them in one of the following two ways:

  • Use YAML-based configuration.
  • Add the bundled list of New Relic trusted signers to the local store.

Using YAML-based configuration

The New Relic Java agent bundles the list of trusted signers in the agent newrelic.jar file. If you do not want to change the local trust store, you can activate them by setting use_private_ssl to true in the newrelic.yml agent configuration file:

common:  default_settings
  use_private_ssl: true

  # ============================== LICENSE KEY ===============================

  # You must specify the license key associated with your New Relic

Adding New Relic trusted signers to the local store

You can also add the bundled list of trusted signers to your local trust store. The default location for the local trust store is $JAVA_HOME/jre/lib/security/cacerts. To override this location, set the property in your launch command to the target location.

To add the bundled list of trusted signers to your local trust store:

  1. Make a backup copy of your trust store:

    cp /path/to/truststore /path/to/truststore.orig
  2. Extract the New Relic trust store from the agent jar:

    jar xvf /path/to/newrelic.jar nrcerts

    If you are prompted for a password during this step, leave the password space blank and confirm.

  3. Merge the New Relic trust store into your trust store:

    keytool -importkeystore -srckeystore nrcerts -destkeystore /path/to/truststore
  4. Restart your app server to take advantage of the updated trust store and communicate with New Relic securely.

Step 3 refers to srckeystore and destkeystore even though we are manipulating trust stores. This is correct. A trust store is a key store used for client side certificates.

For more help

Additional documentation resources include New Relic for Java (compatibility and requirements, installation, and configuration.)

If you need more help, check out these support and learning resources: