The VMware Data Services Manager service components connect to various third party systems. When these systems are TLS-secured; you may require that VMware Data Services Manager access the systems using trusted certificates.

You can add or update trusted certificates in your VMware Data Services Manager only via the API; this operation is not yet supported through the console.

Note: VMware Data Services Manager supports only RSA algorithms for certificates and does not support encrypted or password-protected PEM files for certificates.

Best Practices for Certificate Update

When you invoke the API to add or change a trusted certificate after deployment, VMware Data Services Manager replaces the original certificate with the new cert. To ensure that you retain all trusted certificates when updating, follow these best practices:

  • Use the GET operation on the API endpoint to retrieve the existing certificates.
  • Add the new trusted certificates to the list of existing certs.
  • Invoke the POST operation on the API endpoint with the complete set of certificates (original plus new).

Understanding the Impacts of Certificate Updates

In general, certificate change is not a safe operation. Only vCenter and LDAP certificate updates are supported.

Be aware of the following impacts to your VMware Data Services Manager installation when you update certificates:

  • Updating a certificate on a Provider VM may affect in progress backup and restore operations.

  • Updating a certificate on a database may result in a temporary transaction log failure.

  • Host name verification is mandatory for TLS-based Provider, vCenter, and S3 Object Storage URLs:

    • Common Name or CN must be same as the FQDN or IP address of the S3 storage endpoint.
    • The FQDN or IP address of the S3 storage endpoint must match the FQDN or IP address in one of the Domain Name Server (DNS). IP address and DNS in Subject Alternative Name (SAN) must not be empty.
Scenario Affected VMs           Action
The Provider VM has been recovered. Provider VM No action required; VMware Data Services Manager automatically copies and trusts all trusted certificates on the new Provider.
The S3 trusted certificate expires. Provider VM, database Replace existing certificate with the new certificate.
The LDAP trusted certificate expires. Provider VM Replace existing certificate with the new certificate.
New trusted certificates must be added to the Provider. Provider VM Manually update the certificates.
New trusted certificates must be added to the database. Database Manually update the certificates.
Trust on first use SSL validation occurs. Provider VM No action required; VMware Data Services Manager adds the new certificate to the truststore with no impact on already trusted certificates.
check-circle-line exclamation-circle-line close-line
Scroll to top icon