Regenerate the Manager Service self-signed SSL certificate or import one. After updating this service certificate, repair the trust with the local Replicator Service instances and repair with all cloud sites.

In VMware Cloud Director Availability, replacing the Manager Service certificate:
  • Invalidates the trust only:
    • with the paired cloud sites,
    • and with the Replicator Service instances in the local cloud site.
  • On-premises sites that are paired automatically reestablish the trust after synchronizing or within 30 minutes. Re-pairing with on-premises sites is not necessary when replacing the SSL certificate of the Manager Service.
Post-certificate replacement
To re-establish the trust after replacing the certificate of the Manager Service, re-pair the registration of the Replicator Service instances in the local cloud site and re-pair with the cloud sites.

Procedure

  1. Log in to the Manager Service service management interface.
    1. In a Web browser, go to https://Appliance-IP-Address:8441/ui/admin.
    2. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
    3. Click Login.
  2. Replace the SSL certificate of the Manager Service.
    1. In the left pane under Configuration, click Settings.
    2. Under Appliance settings next to Certificate, select the certificate replacement method.
      Option Description
      Import Upload a certificate.
      Regenerate Generate a new self-signed certificate.
    3. To update the Manager Service certificate, click Apply.
      You are logged out and the services automatically restart in a few minutes. After importing a certificate, the Manager Service creates a copy of the old certificate at /opt/vmware/h4/manager/config/keystore.p12.bak.
    After applying the new certificate, all Replicator Service instances and on-premises appliances become offline. Repair all Replicator Service instances in the cloud site. The on-premises appliances restore operations automatically within 30 minutes without additional actions.
    • ​Until the connectivity automatically restores, the tenants see the Service connectivity to the Manager Service as offline and all their replications are temporary in red health.
    • ​After re-pairing with all the Replicator Service instances and their connectivity restores, the replications return back to green health.

    ​Tenants do not have to perform additional actions with their on-premises appliances when the provider changes the Manager Service certificate as it only causes a temporary impact on the active replications.

  3. Log in to the Manager Service service management interface.
    1. In a Web browser, go to https://Appliance-IP-Address:8441/ui/admin.
    2. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
    3. Click Login.
  4. Trust the new Manager Service certificate with the remaining Replicator Service instances in the local cloud site.
    1. In the left pane, click Replicator Services.
    2. In the Replicator Services administration page, select each local Replicator Service instance and click Repair.
    3. In the Details for replicator window, enter the root user password of the Cloud Director Replication Management Appliance, the single sign-on credentials and click Apply.
    4. To complete the trust re-establishment, verify the thumbprint and accept the SSL certificate of this local Replicator Service instance.
    Note: Repeat this step and trust the new certificate of the Manager Service by selecting the remaining Replicator Service instances.
  5. Log in to the management interface of the Cloud Director Replication Management Appliance.
    1. In a Web browser, go to https://Appliance-IP-Address/ui/admin.
    2. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
    3. Click Login.
  6. In each paired cloud site, trust this new Manager Service certificate.
    1. In the left pane, click Peer Sites.
    2. Select a cloud site and click Repair.
    3. In the Update Pairing window, click Update.
    4. To complete the trust re-establishment, accept the remote Cloud Service SSL certificate.
    Note: Repeat this step and re-pair with the remaining cloud sites.