Data Management for VMware Tanzu generates a single, self-signed Root CA per organization. All databases that you provision in a given organization share the same Root CA.
Data Management for VMware Tanzu always generates keys and a new self-signed certificate for a database that you create when you perform one of these management operations:
(By default, Data Management for VMware Tanzu allows both secured and unsecured client connections to a new database. If you want to mandate the use of secured connections, you must explicitly configure the database to require TLS.)
You can download the Root CA or server certificate for a database. You can also regenerate the server certificate.
You may be required to download the Server Certificate for the database if your client requires the file to connect to the database using TLS.
A database server certificate file is named as follows:
TDM-<service-instance-name>-<year>-server.pem
For example:
TDM-my-pg11.8-instance-2021-server.pem
Before you download the server certificate for a database, ensure that the database is powered on and online.
Perform the following procedure to download the server certificate for a database:
Select Databases from the left navigation pane.
This action displays the Databases view, a table that lists the provisioned databases.
Examine the databases listed in the table, identify the database for which you want to download the server certificate, and navigate to that table row.
Click the database VM Name.
The database information Details tab displays.
Locate the Security section of the pane, click ACTIONS, and select Download Server Certificate from the drop down menu.
A browser-specific dialog displays, prompting you to open or save the file.
Save the file to your local file system, and note the location.
You may be required to download the Root CA for the database if your client requires the CA to connect to the database using TLS. For example, if you run a MySQL client that specifies the TLS mode Require and Verify CA, you must provide the Root CA file to connect.
The default Root CA file for an organization is named as follows:
TDM-<organization-name>-<year>-ca.pem
For example:
TDM-campaigns-2021-ca.pem
Before you download the Root CA for a database, ensure that the database is powered on and online.
You can download the Root CA directly from the Databases view by clicking the Download Root CA text located to the left to the CREATE DB button.
Alternatively, you can download the Root CA for a database from the Security section of the Details tab:
Select Databases from the left navigation pane.
This action displays the Databases view, a table that lists the provisioned databases.
Examine the databases listed in the table, identify the database for which you want to download the Root CA, and navigate to that table row.
Click the database VM Name.
The database information Details tab displays.
Locate the Security section of the pane, click ACTIONS, and select Download Root CA from the drop down menu.
A browser-specific dialog displays, prompting you to open or save the file.
Save the file to your local file system, and note the location.
Regenerating the server certificate for a database replaces the existing certificate with a new self-signed certificate.
If thedatabase on which you regenerate a server certificate is a Primary, Data Management for VMware Tanzu synchronizes the new certificate to each Read Replica in the cluster.
Before you regenerate a server certificate for a database, ensure that:
Perform the following procedure to regenerate the server certificate for a databasee
Select Databases from the left navigation pane.
This action displays the Databases view, a table that lists the provisioned databases.
Examine the databases listed in the table, identify the database for which you want to regenerate the server certificate, and navigate to that table row.
Click the database VM Name.
The database information Details tab displays.
Locate the Security section of the pane, click ACTIONS, and select Regenerate Server Certificate from the drop down menu.
The Regenerate Server Certificate dialog displays.
If you are certain that you want to regenerate the certificate, click CONFIRM.
Data Management for VMware Tanzu initiates the task, generating an operation of type DB_SERVER_CERT_REFRESH.
Monitor the progress of the task in the Operations tab or in the Operations view:
If the database on which you regenerated the server certificate is a Primary, Data Management for VMware Tanzu also initiates a DB_SERVER_CERT_REFRESH operation for each Read Replica in the cluster.
You may choose to download the new server certificate at this time.