Data Management for VMware Tanzu generates a TLS v1.2 self-signed certificate for its user interface when you deploy the Provider VM. This certificate is not certified by any public certificate authority.
If your organization employs more retrictive certificate policies, you can replace the default Data Management for VMware Tanzu UI self-signed certificate with your own custom certificate.
When you replace the default certificate with a custom certificate, Data Management for VMware Tanzu:
Any currently running UI sessions must refresh after the restart to use the new certificate.
Ensure that the key and custom certificate that you generate meet these requirements:
BEGIN PRIVATE KEY/
END PRIVATE KEYblock that identifies the key for the custom Data Management for VMware Tanzu UI certificate.
A (chained) certificate must include one or more
BEGIN CERTIFICATE /
END CERTIFICATE blocks with the specified number of components, in the following order:
You can replace the default UI certificate with a custom certificate only via the Data Management for VMware Tanzu API; this operation is not yet supported via the console.
key: <key-file> certificate: <cert-file>
In most cases, Data Management for VMware Tanzu rolls back to the self-signed DMS certificate when certificate replacement fails. If DMS is unable to roll back, you can SSH into the Provider VM and manually copy the custom certificate to the required file system location:
$ cp custom-ui-cert.pem /opt/vmware/tdm-provider/cert/provider-api-cert.pem $ cp custom-ui-key.pem /opt/vmware/tdm-provider/cert/provider-api-key.pem
You must also manually restart the UI service:
$ docker exec -it provider-ui bash -c "/usr/sbin/nginx -s reload"
If you are running the Provider in High Availability mode and certificate replacement via the API fails on any node, run the steps above on each failed node.