When the certificate of the Tunnel Service expires, you must replace it with a new self-signed or a CA-signed certificate.
Replace the certificate of the Tunnel Service only in cloud sites.
Prerequisites
Verify that you are prepared to follow the steps in these procedures when replacing the certificate:
Procedure
- In a Web browser, go to the Tunnel Service service management interface for your deployment type.
Deployment type |
Service Management Interface |
Cloud Director Combined Appliance |
https://Appliance-IP-Address:8442/ui/admin |
Tunnel Appliance |
https://Tunnel-Appliance-IP-Address/ui/admin |
- Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
- Click Login.
- Log in as root.
- Generate or upload a new certificate.
- Log in to the management interface of the Cloud Director Replication Management Appliance.
- In a Web browser, go to https://Appliance-IP-Address/ui/admin.
- Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
- Click Login.
- In the left pane under Configuration, click Settings.
- Under Service Endpoints next to Tunnel Service address, click Edit.
- In the Tunnel Service Settings window, click Apply.
- Verify the thumbprint and accept the new Tunnel Service SSL certificate.
Results
After replacing the certificate of the
Tunnel Service, on-premises and cloud sites might initially show a
Generic error occured during TLS handshake message for this
Tunnel Service instance connectivity. Without further actions, within 30 minutes
VMware Cloud Director Availability negotiates the certificate and restores the connectivity.