When the certificate of the Tunnel Service expires, you must replace it with a new self-signed or a CA-signed certificate.

Replace the certificate of the Tunnel Service only in cloud sites.

Prerequisites

Verify that you are prepared to follow the steps in these procedures when replacing the certificate:

• Regenerate a Self-Signed Certificate
• Upload a CA-Signed Certificate

Procedure

1. In a Web browser, go to the Tunnel Service service management interface for your deployment type.

   Deployment type	Service Management Interface
   Cloud Director Combined Appliance	https://Appliance-IP-Address:8442/ui/admin
   Tunnel Appliance	https://Tunnel-Appliance-IP-Address/ui/admin

   1. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
   2. Click Login.
2. Log in as root.
3. Generate or upload a new certificate.
4. Log in to the management interface of the Cloud Director Replication Management Appliance.
   1. In a Web browser, go to https://Appliance-IP-Address/ui/admin.
   2. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
   3. Click Login.
5. In the left pane under Configuration, click Settings.
6. Under Service Endpoints next to Tunnel Service address, click Edit.
7. In the Tunnel Service Settings window, click Apply.
8. Verify the thumbprint and accept the new Tunnel Service SSL certificate.

Results

After replacing the certificate of the Tunnel Service, on-premises and cloud sites might initially show a Generic error occured during TLS handshake message for this Tunnel Service instance connectivity. Without further actions, within 30 minutes VMware Cloud Director Availability negotiates the certificate and restores the connectivity.