Configuring your SSL certificates

To communicate with the New Relic collector over SSL, you need to have the proper certificates for trusted signers in the trust store on your app server. There are two ways to do this:

  • Use YAML-based configuration.
  • Add the bundled list of New Relic trusted signers to the local store.

Using YAML-based configuration

The New Relic Java agent bundles the list of trusted signers in the agent .jar file. If you do not want to change the local trust store, you can activate them by setting use_private_ssl to true in the newrelic.yml agent configuration file.

common:  default_settings
  use_private_ssl: true

  #
  # ============================== LICENSE KEY ===============================

  # You must specify the license key associated with your New Relic
  # account.  This key binds your Agent's data to your account in the
  # New Relic service.
  license_key: ...

Adding New Relic trusted signers to the local store

You can also add the bundled list of trusted signers to your local trust store. The default location for the local trust store is $JAVA_HOME/jre/lib/security/cacerts. To override this location, set the javax.net.ssl.truststore property in your launch command to the target location.

To add the bundled list of trusted signers to your local trust store:

  1. Make a backup copy of your trust store:

    % cp /path/to/truststore /path/to/truststore.orig
  2. Extract the New Relic trust store from the agent jar:

    % jar xvf /path/to/newrelic.jar nrcerts

    If you are prompted for a password during this step, leave the password space blank and confirm.

  3. Merge the New Relic trust store into your trust store:

    % keytool -importkeystore -srckeystore nrcerts -destkeystore /path/to/truststore
  4. Restart your app server to take advantage of the updated trust store and communicate with New Relic securely.

Step 3 refers to srckeystore and destkeystore even though we are manipulating trust stores. This is correct. A trust store is a key store used for client side certificates.

For more help

Additional documentation resources include New Relic for Java (compatibility and requirements, installation, and configuration.)

Join the discussion about Java monitoring in the New Relic Online Technical Community! The Technical Community is a public platform to discuss and troubleshoot your New Relic toolset.

If you need additional help, get support at support.newrelic.com.