Manage CA certificate in GO and Java APM Agents


Hi there,
I'm using APM-Server and APM-Agents clients in go and Java.
I'm moving to use https, but I'm using a private CA to issue server certificates (it is the same CA used for logstash, elastic and beat client authentication).
I see in Ruby implementation there is a ELASTIC_APM_SERVER_CA_CERT param, but this is missing in Java and Go agent impls. There is an ELASTIC_APM_SERVER_CERT param, but this is not practical to use, since in our environment there are multiple APMserver nodes.
In Java I assume I need to put the CA certificate in the Java TrustStore. What is the correct pattern in Go?
I would avoid to put ELASTIC_APM_VERIFY_SERVER_CERT to false

Yes, in Java you can configure the trust store.

Currently the Go agent does not provide configuration for this. I've opened to add it. In the mean time, you could do this in code if you're so inclined:

package main

import (


func main() {
        apmTransport := apm.DefaultTracer.Transport.(*transport.HTTPTransport)
        httpTransport := apmTransport.Client.Transport.(*http.Transport)

        pem, err := ioutil.ReadFile("/path/to/ca.pem")
        if err != nil {
                // ...
        caCerts := x509.NewCertPool()
        httpTransport.TLSClientConfig.RootCAs = caCerts

One of my colleagues pointed out that on UNIX(-like) systems, you can also set the SSL_CERT_FILE environment variable to override the system default location for certs. This would be effectively the same as setting the future ELASTIC_APM_SERVER_CA_CERT environment variable.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.