[AGENTRUN-871] Add Agent v5 documentation for Sectigo Root CA rotation (2025–2026) #32589
+137
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Preview links (active after the
|
louis-cqrl
changed the title
janine-c
reviewed
Nov 4, 2025
| You are affected if: | ||
| - You are running **Datadog Agent v5**, particularly **versions below 5.32.7** | ||
| - Your agent installation does not include the Datadog embedded certificate bundle | ||
| - Your agent is not configured to use the operating system's certificate store (via `use_curl_http_client: true`) |
There was a problem hiding this comment.
Suggested change
| - Your agent is not configured to use the operating system's certificate store (via `use_curl_http_client: true`) | |
| - Your agent is not configured to use the operating system's certificate store (using `use_curl_http_client: true`) |
|
|
||
| ## Solution | ||
|
|
||
| ### Automated Solution |
There was a problem hiding this comment.
Suggested change
| ### Automated Solution | |
| ### Automated solution |
| .\windows.ps1 | ||
| ``` | ||
|
|
||
| ### Manual Solution |
There was a problem hiding this comment.
Suggested change
| ### Manual Solution | |
| ### Manual solution |
Comment on lines
+41
to
+43
| #### Linux | ||
|
|
||
| **Requirement**: |
There was a problem hiding this comment.
Suggested change
| #### Linux | |
| **Requirement**: | |
| {{< tabs >}} | |
| {{% tab "Linux" %}} | |
| #### Requirement |
There was a problem hiding this comment.
Tabs are usually a go-to when we're documenting mutually exclusive options of doing the same thing, like OS, so I thought I'd try it here. they can be a bit finicky, so let me know if you need help getting them to render properly!
You could also consider things like expanders to house the automatic/manual solutions, but they're not super long and I thought users might want to scope out the differences, so that's not super important for me.
Comment on lines
+57
to
+59
| #### Windows | ||
|
|
||
| **Requirement**: |
There was a problem hiding this comment.
Suggested change
| #### Windows | |
| **Requirement**: | |
| {{% /tab %}} | |
| {{% tab "Windows" %}} | |
| #### Requirement |
Comment on lines
+35
to
+39
| 1. Download the updated Datadog certificate bundle | ||
| 2. Install the certificate in the correct location for your Agent installation | ||
| 3. Update your `datadog.conf` to enable `use_curl_http_client: true` (allows the agent to use OS-provided certificates) | ||
| 4. Restart the Datadog Agent to apply changes | ||
| 5. Verify connectivity and check logs for any certificate errors |
There was a problem hiding this comment.
Suggested change
| 1. Download the updated Datadog certificate bundle | |
| 2. Install the certificate in the correct location for your Agent installation | |
| 3. Update your `datadog.conf` to enable `use_curl_http_client: true` (allows the agent to use OS-provided certificates) | |
| 4. Restart the Datadog Agent to apply changes | |
| 5. Verify connectivity and check logs for any certificate errors | |
| 1. Download the updated Datadog certificate bundle. | |
| 2. Install the certificate in the correct location for your Agent installation. | |
| 3. Update your `datadog.conf` to enable `use_curl_http_client: true` (allows the agent to use OS-provided certificates). | |
| 4. Restart the Datadog Agent to apply changes. | |
| 5. Verify connectivity and check logs for any certificate errors. |
| {{< partial name="whats-next/whats-next.html" >}} | ||
|
|
||
| [1]: /agent/guide/upgrade_agent_fleet_automation | ||
| [2]: /help |
There was a problem hiding this comment.
Suggested change
| [2]: /help | |
| [2]: /help | |
| [3]: https://github.com/DataDog/dd-agent/blob/master/datadog-cert.pem |
Comment on lines
+74
to
+85
| 1. Download the updated Datadog certificate bundle at `https://github.com/DataDog/dd-agent/blob/master/datadog-cert.pem` | ||
| 2. Install the certificate in the correct location for your Agent installation | ||
| - **Linux**: `/opt/datadog-agent/agent/datadog-cert.pem` | ||
| - **Windows**: | ||
| - v5.12+: `C:\Program Files\Datadog\Datadog Agent\agent\datadog-cert.pem` | ||
| - v5.11 and below (64-bit OS): `C:\Program Files (x86)\Datadog\Datadog Agent\files\datadog-cert.pem` | ||
| - v5.11 and below (32-bit OS): `C:\Program Files\Datadog\Datadog Agent\files\datadog-cert.pem` | ||
| 3. Update your `datadog.conf` to enable `use_curl_http_client: true` (allows the agent to use OS-provided certificates) | ||
| - **Linux**: `/etc/dd-agent/datadog.conf` | ||
| - **Windows**: `C:\ProgramData\Datadog\datadog.conf` | ||
| 4. Restart the Datadog Agent to apply changes | ||
| 5. Verify connectivity and check logs for any certificate errors |
There was a problem hiding this comment.
Suggested change
| 1. Download the updated Datadog certificate bundle at `https://github.com/DataDog/dd-agent/blob/master/datadog-cert.pem` | |
| 2. Install the certificate in the correct location for your Agent installation | |
| - **Linux**: `/opt/datadog-agent/agent/datadog-cert.pem` | |
| - **Windows**: | |
| - v5.12+: `C:\Program Files\Datadog\Datadog Agent\agent\datadog-cert.pem` | |
| - v5.11 and below (64-bit OS): `C:\Program Files (x86)\Datadog\Datadog Agent\files\datadog-cert.pem` | |
| - v5.11 and below (32-bit OS): `C:\Program Files\Datadog\Datadog Agent\files\datadog-cert.pem` | |
| 3. Update your `datadog.conf` to enable `use_curl_http_client: true` (allows the agent to use OS-provided certificates) | |
| - **Linux**: `/etc/dd-agent/datadog.conf` | |
| - **Windows**: `C:\ProgramData\Datadog\datadog.conf` | |
| 4. Restart the Datadog Agent to apply changes | |
| 5. Verify connectivity and check logs for any certificate errors | |
| 1. Download the [updated Datadog certificate bundle][3]. | |
| 2. Install the certificate in the correct location for your Agent installation. | |
| - **Linux**: `/opt/datadog-agent/agent/datadog-cert.pem` | |
| - **Windows**: | |
| - v5.12+: `C:\Program Files\Datadog\Datadog Agent\agent\datadog-cert.pem` | |
| - v5.11 and below (64-bit OS): `C:\Program Files (x86)\Datadog\Datadog Agent\files\datadog-cert.pem` | |
| - v5.11 and below (32-bit OS): `C:\Program Files\Datadog\Datadog Agent\files\datadog-cert.pem` | |
| 3. Update your `datadog.conf` to enable `use_curl_http_client: true` (allows the Agent to use OS-provided certificates). | |
| - **Linux**: `/etc/dd-agent/datadog.conf` | |
| - **Windows**: `C:\ProgramData\Datadog\datadog.conf` | |
| 4. Restart the Datadog Agent to apply changes. | |
| 5. Verify connectivity and check logs for any certificate errors. |
|
|
||
| ## Overview | ||
|
|
||
| In May 2026, Datadog will deploy SSL certificates signed by a new certificate authority (Sectigo Root CA). **If you are running Datadog Agent v5 (especially versions below 5.32.7)**, your agents may lose connectivity with Datadog due to SSL certificate verification failures. |
There was a problem hiding this comment.
I don't have the context to know which version of "agents" you're talking about, but we should always capitalize "Agent" when talking about the Datadog Agent. All other "agents" can be lowercase. If you've already done this, awesome!
| 4. Restart the Datadog Agent to apply changes | ||
| 5. Verify connectivity and check logs for any certificate errors | ||
|
|
||
| ## Important considerations |
There was a problem hiding this comment.
I would consider moving this whole section higher on the page. The timelines seem important for customers to know how they're affected, and it would help them decide what to do about it. Especially if we really would prefer that customers upgrade to v7, it would make sense to me that we would list that as a possibility first, and then if they really don't want to do that, they could keep reading through other available solutions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
This PR adds a new FAQ entry covering the upcoming Sectigo Root CA rotation that will impact Datadog Agent v5 users in May 2026.
Older Agent v5 versions (particularly those below 5.32.7) may fail SSL verification once Datadog updates its certificates.
The new documentation provides both automated and manual remediation steps for affected users on Linux and Windows.
Key additions
agent-5-sectigo-root-ca-rotation.mdMerge instructions
Additional notes
This documentation aligns with Datadog’s ongoing certificate lifecycle management communications and ensures that legacy Agent users are prepared ahead of the May 2026 CA change.