Each VMware Cloud Director Availability service uses a unique SSL certificate both for the HTTPS access to the service management interface and in the communication with other services. After renewing or replacing the certificate of a VMware Cloud Director Availability service, configure VMware Cloud Director Availability to trust the certificate.
- Cloud Replication Management Appliance operating the Cloud Service and the Manager Service.
- Cloud Replicator Appliance operating the Replicator Service.
- Cloud Tunnel Appliance operating the Tunnel Service.
The Tunnel Service effectively proxies the tenants communication with the Cloud Service. When connecting through the remote Tunnel Service, the VMware Cloud Director Availability On-Premises Appliance sees only the certificate of the remote Cloud Service and the tenants do not see the certificates of the remote Replicator Service nor the certificate of the remote Tunnel Service.
Using a CA-Signed Certificate
- Use a CA-signed certificate only for the Cloud Service. On the same Cloud Replication Management Appliance, you must use a self-signed certificate for the Replicator Service.
- Use self-signed certificates for the Tunnel Service and the Replicator Service. If the disaster recovery environment requires using only public certificates, you can also use CA-signed certificates for these two services.
Using a Wildcard Certificate
You can use a wildcard certificate only for the Cloud Service. To keep the certificates unique, you must use self-signed certificates for the remaining VMware Cloud Director Availability services. Do not use the same wildcard certificate for more than one cloud site.