VMware Data Services Manager generates a single, self-signed Root CA per organization. All databases that you provision in a given organization share the same Root CA.

VMware Data Services Manager always generates keys and a new self-signed certificate for a database that you create when you perform one of these management operations:

  • Create database
  • Restore
  • Point in Time Restore (PITR)
  • Clone

(By default, VMware Data Services Manager allows both secured and unsecured client connections to a new database. If you want to mandate the use of secured connections, you must explicitly configure the database to require TLS.)

You can download the Root CA or server certificate for a database. You can also regenerate the server certificate.

Downloading the Server Certificate

You may be required to download the Server Certificate for the database if your client requires the file to connect to the database using TLS.

A database server certificate file is named as follows:

TDM-<service-instance-name>-<year>-server.pem

For example:

TDM-my-pg11.8-instance-2021-server.pem

Prerequisites

Before you download the server certificate for a database, ensure that the database is powered on and online.

Procedure

Perform the following procedure to download the server certificate for a database:

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned databases.

  2. Examine the databases listed in the table, identify the database for which you want to download the server certificate, and navigate to that table row.

  3. Click the database VM Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Download Server Certificate from the drop down menu.

    A browser-specific dialog displays, prompting you to open or save the file.

  5. Save the file to your local file system, and note the location.

Downloading the Root CA

You may be required to download the Root CA for the database if your client requires the CA to connect to the database using TLS. For example, if you run a MySQL client that specifies the TLS mode Require and Verify CA, you must provide the Root CA file to connect.

The default Root CA file for an organization is named as follows:

TDM-<organization-name>-<year>-ca.pem

For example:

TDM-campaigns-2021-ca.pem

Prerequisites

Before you download the Root CA for a database, ensure that the database is powered on and online.

Procedure

You can download the Root CA directly from the Databases view by clicking the Download Root CA text located to the left to the CREATE DB button.

Alternatively, you can download the Root CA for a database from the Security section of the Details tab:

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned databases.

  2. Examine the databases listed in the table, identify the database for which you want to download the Root CA, and navigate to that table row.

  3. Click the database VM Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Download Root CA from the drop down menu.

    A browser-specific dialog displays, prompting you to open or save the file.

  5. Save the file to your local file system, and note the location.

Regenerating the Server Certificate

Regenerating the server certificate for a database replaces the existing certificate with a new self-signed certificate.

If thedatabase on which you regenerate a server certificate is a Primary, VMware Data Services Manager synchronizes the new certificate to each Read Replica in the cluster.

Note: Regenerating the server certificate for a database is an on-demand operation that requires a restart of the service. Consider initiating this operation during the maintenance window of the database.

Prerequisites

Before you regenerate a server certificate for a database, ensure that:

  • The database is powered on and online.
  • The service restart will not negatively impact current service users.

Procedure

Perform the following procedure to regenerate the server certificate for a databasee

  1. Select Databases from the left navigation pane.

    This action displays the Databases view, a table that lists the provisioned databases.

  2. Examine the databases listed in the table, identify the database for which you want to regenerate the server certificate, and navigate to that table row.

  3. Click the database VM Name.

    The database information Details tab displays.

  4. Locate the Security section of the pane, click ACTIONS, and select Regenerate Server Certificate from the drop down menu.

    The Regenerate Server Certificate dialog displays.

  5. If you are certain that you want to regenerate the certificate, click CONFIRM.

    VMware Data Services Manager initiates the task, generating an operation of type DB_SERVER_CERT_REFRESH.

  6. Monitor the progress of the task in the Operations tab or in the Operations view:

    1. Locate the DB_SERVER_CERT_REFRESH operation type and click it.
    2. Select the State History tab to view the subtasks and their status.
    3. If the operation fails, select the Error Info tab to examine the returned error information.

  7. If the database on which you regenerated the server certificate is a Primary, VMware Data Services Manager also initiates a DB_SERVER_CERT_REFRESH operation for each Read Replica in the cluster.

  8. You may choose to download the new server certificate at this time.

check-circle-line exclamation-circle-line close-line
Scroll to top icon