Data Management for VMware Tanzu generates a single, self-signed Root CA per organization. All Service Instances that you provision in a given organization share the same Root CA.

DMS always generates keys and a new self-signed certificate for a Service Instance that you create when you perform one of these management operations:

  • Create Instance
  • Restore
  • Point in Time Restore (PITR)
  • Clone

(By default, Data Management for VMware Tanzu allows both secured and unsecured client connections to a new Service Instance. If you want to mandate the use of secured connections, you must explicitly configure the Service Instance to require TLS.)

You can download the Root CA or server certificate for a Service Instance. You can also regenerate the server certificate.

Downloading the Server Certificate

You may be required to download the Server Certificate for the Service Instance if your client requires the file to connect to the instance using TLS.

A Service Instance server certificate file is named as follows:

TDM-<service-instance-name>-<year>-server.pem

For example:

TDM-my-pg11.8-instance-2021-server.pem

Prerequisites

Before you download the server certificate for a Service Instance, ensure that the instance is powered on and online.

Procedure

Perform the following procedure to download the server certificate for a Service Instance:

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned database instances.

  2. Examine the databases listed in the table, identify the instance for which you want to download the server certificate, and navigate to that table row.

  3. Click the database Instance Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Download Server Certificate from the drop down menu.

    A browser-specific dialog displays, prompting you to open or save the file.

  5. Save the file to your local file system, and note the location.

Downloading the Root CA

You may be required to download the Root CA for the Service Instance if your client requires the CA to connect to the instance using TLS. For example, if you run a MySQL client that specifies the TLS mode Require and Verify CA, you must provide the Root CA file to connect.

The default Root CA file for an organization is named as follows:

TDM-<organization-name>-<year>-ca.pem

For example:

TDM-campaigns-2021-ca.pem

Prerequisites

Before you download the Root CA for a Service Instance, ensure that the instance is powered on and online.

Procedure

You can download the Root CA directly from the Databases view by clicking the Download Root CA text located to the left to the CREATE DB button.

Alternatively, you can download the Root CA for a Service Instance from the Security section of the Databases view instance Details:

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned database instances.

  2. Examine the databases listed in the table, identify the instance for which you want to download the Root CA, and navigate to that table row.

  3. Click the database Instance Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Download Root CA from the drop down menu.

    A browser-specific dialog displays, prompting you to open or save the file.

  5. Save the file to your local file system, and note the location.

Regenerating the Server Certificate

Regenerating the server certificate for a Service Instance replaces the existing certificate with a new self-signed certificate.

If the Service Instance on which you regenerate a server certificate is a Primary, Data Management for VMware Tanzu synchronizes the new certificate to each Read Replica in the cluster.

Note: Regenerating the server certificate for a Service Instance is an on-demand operation that requires a restart of the service. Consider initiating this operation during the maintenance window of the instance.

Prerequisites

Before you regenerate a server certificate for a Service Instance, ensure that:

  • The instance is powered on and online.
  • The service restart will not negatively impact current service users.

Procedure

Perform the following procedure to regenerate the server certificate for a Service Instance:

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned database instances.

  2. Examine the databases listed in the table, identify the instance for which you want to regenerate the server certificate, and navigate to that table row.

  3. Click the database Instance Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Regenerate Server Certificate from the drop down menu.

    The Regenerate Server Certificate dialog displays.

  5. If you are certain that you want to regenerate the certificate, click CONFIRM.

    Data Management for VMware Tanzu initiates the task, generating an operation of type DB_SERVER_CERT_REFRESH.

  6. Monitor the progress of the task in the Operations tab or in the Database Operations view:

    1. Locate the DB_SERVER_CERT_REFRESH operation type and click it.
    2. Select the State History tab to view the subtasks and their status.
    3. If the operation fails, select the Error Info tab to examine the returned error information.
  7. If the service instance on which you regenerated the server certificate is a Primary, Data Management for VMware Tanzu also initiates a DB_SERVER_CERT_REFRESH operation for each Read Replica in the cluster.

  8. You may choose to download the new server certificate at this time.

check-circle-line exclamation-circle-line close-line
Scroll to top icon