VMware Data Services Manager generates a TLS v1.2 self-signed certificate for its user interface when you deploy the Provider VM. This certificate is not certified by any public certificate authority.

If your organization employs more retrictive certificate policies, you can replace the default VMware Data Services Manager UI self-signed certificate with your own custom certificate.

When you replace the default certificate with a custom certificate, VMware Data Services Manager:

  • Validates the new certificate.
  • Loads the certificate files to a temporary location on the file system of the Provider VM.
  • Saves the certificate files to a database on the Provider VM.
  • Copies the new certificates to the real location on the Provider VM file system.
  • Restarts the VMware Data Services Manager UI service.

Any currently running UI sessions must refresh after the restart to use the new certificate.

Prerequisites

Ensure that the key and custom certificate that you generate meet these requirements:

  • You generate an RSA key with a 2048-bit length.

  • The extension of the key file must be one of .key or .pem.

  • The key file must include a single BEGIN PRIVATE KEY / END PRIVATE KEY block that identifies the key for the custom VMware Data Services Manager UI certificate.

  • You generate the certificate signing request based on the 2048-bit RSA key.

  • The file extension of the custom VMware Data Services Manager UI certificate must be one of .crt, .pem, or .cer.

  • A (chained) certificate must include one or more BEGIN CERTIFICATE / END CERTIFICATE blocks with the specified number of components, in the following order:

    • Certificate for the VMware Data Services Manager UI (1)
    • Intermediate Certificate (0-n)
    • Root Certificate (0-1)

Procedure

You can replace the default UI certificate with a custom certificate only via the VMware Data Services Manager API; this operation is not yet supported via the console.

POST https://<provider-ip-address>/appliance/certificate

Request parameters:

key: <key-file>
certificate: <cert-file>

Troubleshooting

In most cases, VMware Data Services Manager rolls back to the self-signed certificate when certificate replacement fails. If VMware Data Services Manager is unable to roll back, you can SSH into the Provider VM and manually copy the custom certificate to the required file system location:

$ cp custom-ui-cert.pem /opt/vmware/tdm-provider/cert/provider-api-cert.pem
$ cp custom-ui-key.pem /opt/vmware/tdm-provider/cert/provider-api-key.pem

You must also manually restart the UI service:

$ docker exec -it provider-ui bash -c "/usr/sbin/nginx -s reload"

If you are running the Provider in High Availability mode and certificate replacement via the API fails on any node, run the steps above on each failed node.

check-circle-line exclamation-circle-line close-line
Scroll to top icon