# Using Custom Certificates Starting from this release, you can configure custom SSL/TLS certificates for your Self-hosted Private Cloud Director deployment. Previously, the system only used self-signed certificates generated during the deployment process. ### Overview By default, the system generates self-signed certificates during installation. You can now: * Use your own custom-signed certificates * Continue using automatically generated self-signed certificates You can apply custom certificates during a new installation or update existing deployments using the `renew-certs` command. ### Configure Custom Certificates During Installation Prerequisites * A valid SSL/TLS certificate file (`.crt`) * A corresponding private key file (`.key`) * Read access to both files for the user running the configuration {% stepper %} {% step %} ### Prepare your certificate files Place your certificate and key files in an accessible location on your system. Example: ```bash service.crt # Certificate file service.key # Private key file ``` {% endstep %} {% step %} ### Specify certificate paths You can provide the certificate and key paths using either of these methods. Option A: Export as environment variables ```bash export USER_CERT_PATH="_path_to_service.crt" export USER_KEY_PATH="_path_to_service.key" ``` Option B: Pass as command-line arguments ```bash airctl configure {other_flags} \ --user-cert-path _path_to_service.crt \ --user-key-path _path_to_service.key ``` {% endstep %} {% step %} ### Verify the configuration After you run the configuration command, verify that the certificate paths appear in the configuration file. Check `/opt/pf9/airctl/conf/airctl-config.yaml`: ```yaml ... user_cert_path: _path_to_service.crt user_key_path: _path_to_service.key ... ``` Expected outcome: The configuration file contains your specified certificate paths. {% endstep %} {% step %} ### Updating the certs Run the renew-certs command which will update the certs: ```bash airctl renew-certs --config _opt_pf9_airctl_conf_airctl-config.yaml ``` {% endstep %} {% endstepper %} ### Update Certificates on Existing Deployments If you have an existing PCD deployment, you can replace the current certificates using the `airctl renew-certs` command. Prerequisites * You have an existing PCD deployment * You have the new certificate and key files ready * You have access to the configuration file at `/opt/pf9/airctl/conf/airctl-config.yaml` {% stepper %} {% step %} ### Update the configuration file Set the new certificate paths using one of these methods: * Export environment variables (as shown in the installation section) * Use the `airctl configure` command with certificate path arguments * Edit `/opt/pf9/airctl/conf/airctl-config.yaml` directly > Keep all other configuration fields unchanged. > {% endstep %} {% step %} ### Verify the updated configuration Check that `/opt/pf9/airctl/conf/airctl-config.yaml` reflects the new certificate paths: ```yaml certPath: _path_to_new_service.crt certKeyPath: _path_to_new_service.key ``` {% endstep %} {% step %} ### Renew the certificates Run the certificate renewal command: ```bash airctl renew-certs --config _opt_pf9_airctl_conf_airctl-config.yaml ``` Expected outcome: The command updates the certificates in your deployment. You can switch from custom to self-signed certificates or from self-signed to custom certificates. {% endstep %} {% endstepper %} {% hint style="info" %} Important Notes * Ensure that your `DU_FQDN` environment variable or the `duFqdn` field in the airctl configuration file matches the domain specified in your certificates. * The user running configuration commands must have read access to the certificate files. * You can switch between custom and self-signed certificates at any time using the `airctl renew-certs` command. {% endhint %}