Data Management for VMware Tanzu generates a TLS v1.2 self-signed certificate for its user interface when you deploy the Provider VM. This certificate is not certified by any public certificate authority.

If your organization employs more retrictive certificate policies, you can replace the default Data Management for VMware Tanzu UI self-signed certificate with your own custom certificate.

When you replace the default certificate with a custom certificate, Data Management for VMware Tanzu:

  • Validates the new certificate.
  • Loads the certificate files to a temporary location on the file system of the Provider VM.
  • Saves the certificate files to a database on the Provider VM.
  • Copies the new certificates to the real location on the Provider VM file system.
  • Restarts the Data Management for VMware Tanzu UI service.

Any currently running UI sessions must refresh after the restart to use the new certificate.


Ensure that the key and custom certificate that you generate meet these requirements:

  • You generate an RSA key with a 2048-bit length.
  • The extension of the key file must be one of .key or .pem.
  • The key file must include a single BEGIN PRIVATE KEY / END PRIVATE KEY block that identifies the key for the custom Data Management for VMware Tanzu UI certificate.
  • You generate the certificate signing request based on the 2048-bit RSA key.
  • The file extension of the custom Data Management for VMware Tanzu UI certificate must be one of .crt, .pem, or .cer.
  • A (chained) certificate must include one or more BEGIN CERTIFICATE / END CERTIFICATE blocks with the specified number of components, in the following order:

    • Certificate for the Data Management for VMware Tanzu UI (1)
    • Intermediate Certificate (0-n)
    • Root Certificate (0-1)


You can replace the default UI certificate with a custom certificate only via the Data Management for VMware Tanzu API; this operation is not yet supported via the console.

POST https://<provider-ip-address>/appliance/certificate

Request parameters:

key: <key-file>
certificate: <cert-file>


In most cases, Data Management for VMware Tanzu rolls back to the self-signed DMS certificate when certificate replacement fails. If DMS is unable to roll back, you can SSH into the Provider VM and manually copy the custom certificate to the required file system location:

$ cp custom-ui-cert.pem /opt/vmware/tdm-provider/cert/provider-api-cert.pem
$ cp custom-ui-key.pem /opt/vmware/tdm-provider/cert/provider-api-key.pem

You must also manually restart the UI service:

$ docker exec -it provider-ui bash -c "/usr/sbin/nginx -s reload"

If you are running the Provider in High Availability mode and certificate replacement via the API fails on any node, run the steps above on each failed node.

check-circle-line exclamation-circle-line close-line
Scroll to top icon