By default, VMware Data Services Manager manages the certificates for the database cluster. These certificate are not certified by any public certificate authority. If your organization employs more restrictive certificate policies, you can replace the default VMware Data Services Manager certificate with your own custom certificate.
As a DSM administrator, you can configure custom certificates, including certificate chain along with its associated private key and a certificate authority (CA).
- You cannot configure custom certificates for multi-node PostgreSQL clusters with activated High Availability.
- If you choose to configure a custom certificate, you are responsible for renewing it when it approaches an expiration date.
If the certificate expires, your environment might experience problems, such as losing monitoring of the database cluster, losing clients connectivity, being considered unhealthy, or being shutdown. You must also update the Kubernetes TLS Secret with the renewed certificate. For more information, see TLS Secrets in the Kubernetes Documentation.
- Updating database cluster certificates can cause a restart of the database cluster.
Prerequisites
- Use the VMware Data Services Manager API to perform this task. For more information, see Access the VMware Data Services Manager API.
- To manage the certificates, you can use Kubernetes cert-manager. It manages various certificate and issuer types and outputs a Kubernetes TLS Secret in the required format. For information, see the cert-manager web site at https://cert-manager.io/. Other certificate management tools are also supported.