By default, VMware Data Services Manager manages the certificates for the Provider VM. These certificates are not certified by any public certificate authority. If your organization employs more restrictive certificate policies, you can replace the default VMware Data Services Manager certificate with your own custom certificate.
As a DSM administrator, you can configure custom certificates, including certificate chain along with its associated private key and a certificate authority (CA).
- If you choose to configure a custom certificate, you are responsible for renewing it when it approaches an expiration date. You must also update the Kubernetes TLS Secret. For more information, see TLS Secrets in the Kubernetes Documentation.
If the certificate expires, you might experience problems, for example, lose access to the DSM console, might not be able to upgrade or restart database clusters, database clusters metrics might become unavailable, and so on.
- Updating VMware Data Services Manager certificates causes a restart of the DSM UI service.
- Updating the Provider VM CA causes a restart of all database clusters in the environment. While this change is being applied, database metrics might not be available. It is recommended to set up the Provider VM CA before you add any database clusters to VMware Data Services Manager.
Prerequisites
- Make sure that your environment meets these prerequisites:
- VMware Data Services Manager version 2.1 and later.
All database clusters must be created in VMware Data Services Manager version 2.1 and later. Upgrade older database clusters, created in VMware Data Services Manager 2.0 to version 2.1 and later.
Note:You can keep the database clusters version 2.0 created in VMware Data Services Manager 2.1.
- Use the VMware Data Services Manager API to perform this task. For more information, see Access the VMware Data Services Manager API.
To manage the certificates, you can use Kubernetes cert-manager. It manages various certificate and issuer types and outputs a Kubernetes TLS Secret in the required format. For information, see the cert-manager web site at https://cert-manager.io/. Other certificate management tools are also supported.