This section describes details and best practices for configuring API Monitoring Radar agent certificates.
In this topic:
The Radar agent supports certificates from the following authority list: Mozilla Included CA Certificate List.
From October 2023, the Radar agent has transitioned to using public certificates issued by Let's Encrypt, which are in turn signed by the ISRG Root X1 trusted root certificate authority. A comprehensive guide on this process can be found on the Let's Encrypt website.
Given that the majority of operating systems and contemporary browsers recognize the ISRG Root X1 root certificate authority, you should not encounter any complications when using system- or OS-level certificate authority bundles.
We recommend the following best practices when configuring trusted certificates:
Use the latest version of the Radar agent.
When running the Radar agent, if your system or OS has been properly configured with the trusted certificate authorities, opt for the use-system-certs option.
Alternatively, use the cafile option when running the Radar agent to supply a custom CA bundle.
Important: API Monitoring periodically updates leaf/child certificate for api.runscope.com or *.runscope.com. If you are providing the Radar agent with a custom CA bundle file, ensure to include the ISRG Root X1 trusted root certificate and not just the leaf/child certificate. Do this to avoid service interruption or failure when the certificates are refreshed.
If you are unsure if your system or OS has trusted certificate authorities configured properly and you do not have a custom CA bundle file, allow the Radar agent to download a trusted CA bundle from https://mkcert.org/generate. This method requires network or firewall access to the mkcert.org domain.
For more information on configuration options, see the configuration file reference in Radar Agent Overview.