Each VMware Cloud Director Availability service uses a unique SSL certificate both for the HTTPS access to the service management interface and in the communication with other services. After renewing or replacing the certificate of a VMware Cloud Director Availability service, configure VMware Cloud Director Availability to trust the certificate.

In a typical cloud deployment, the VMware Cloud Director Availability solution comprises of three types of appliances that operate the following VMware Cloud Director Availability services:
  • Cloud Director Replication Management Appliance operating the Cloud Service and the Manager Service.
  • Replicator Appliance operating the Replicator Service.
  • Tunnel Appliance operating the Tunnel Service.

The Tunnel Service effectively proxies the tenants communication with the Cloud Service. When connecting through the remote Tunnel Service, the On-Premises to Cloud Director Replication Appliance sees only the certificate of the remote Cloud Service and the tenants do not see the certificates of the remote Replicator Service nor the certificate of the remote Tunnel Service.

Using a CA-Signed Certificate

Each VMware Cloud Director Availability service must have a unique certificate which is different from other services certificates. By default, the certificate is self-signed, or you can use a Certificate Authority (CA)-signed certificate. A minimum requirement for the trusted communication is to install a trusted CA-signed certificate only for the Cloud Service, while the other services can continue to use self-signed certificates:
  • Use a CA-signed certificate only for the Cloud Service. On the same Cloud Director Replication Management Appliance, you must use a self-signed certificate for the Replicator Service.
  • Use self-signed certificates for the Tunnel Service and the Replicator Service. If the disaster recovery environment requires using only public certificates, you can also use CA-signed certificates for these two services.

Using a Wildcard Certificate

You can use a wildcard certificate only for the Cloud Service. To keep the certificates unique, you must use self-signed certificates for the remaining VMware Cloud Director Availability services. Do not use the same wildcard certificate for more than one cloud site.