Installing CA-signed Certificate


The following instructions assume that you have obtained certificate files in PEM format from a certificate authority.

  • SSL certificate for the DNS name
  • Intermediate and root CA SSL certificates
  • Private key file

To automate the SSL certificate renewal, consider deploying Let's Encrypt certificates.

Combine Chained Certificates

Combine the SSL certificates into one file to create a full certificate chain containing both the DNS and intermediate certificates.

cat >

Install Certificates in ATSD

The certificates can be either uploaded into ATSD or installed by deploying a keystore file on the local file system.

Upload Certificates to ATSD

If the certificate files are in PEM format, upload them to ATSD using curl.

Alternatively, create a PKCS12 keystore as described below.

Replace with the DNS name or IP address of the ATSD server and update the API token value.

sudo curl \
  --insecure \
  --header "Authorization: Bearer ubFPnLvPJK3vOOlAjvQVtdkMkY1gfRscSi9k" \
  -F "" \
  -F "" \
  -w "\n%{http_code}\n"

The certificates are installed and activated without restarting the database.

Deploy Keystore File

Create PKCS12 Keystore

Log in to ATSD server shell.

Create a PKCS12 keystore.

openssl pkcs12 -export -inkey \
  -in -out
Enter Export Password: NEW_PASS
Verifying - Enter Export Password: NEW_PASS

Remove Old Keystore File

Backup the current server.keystore file.

mv /opt/atsd/atsd/conf/server.keystore /opt/atsd/atsd/conf/server.keystore.backup

Create JKS Keystore

Use the keytool command to create a new JKS keystore by importing the PKCS12 keystore file.

keytool -importkeystore -srckeystore \
  -srcstoretype PKCS12 -alias 1 -destkeystore /opt/atsd/atsd/conf/server.keystore -destalias atsd
Enter destination keystore password: NEW_PASS
Re-enter new password: NEW_PASS
Enter source keystore password: NEW_PASS

Update Keystore Passwords

Open /opt/atsd/atsd/conf/ file.

nano /opt/atsd/atsd/conf/

Specify the new password (in plain or obfuscated text) in https.keyStorePassword and https.keyManagerPassword settings.

Leave https.trustStorePassword blank.


Restart ATSD


Verify Certificate

Log in to ATSD by entering its DNS name in the browser address bar and check its certificate by clicking on the SSL security icon.

Check the status of the new certificate on the Settings > Certificates page. The record is highlighted in green if:

  • The certificate is trusted by the default trust manager of the Java Runtime Environment.
  • The certificate dates are valid and the expiration date is no earlier than 30 days from now.


Check the contents of the keystore.

keytool -list -v -keystore /opt/atsd/atsd/conf/server.keystore

The output must contain an entry for atsd alias, for example:

Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: atsd
Creation date: Apr 18, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US