Using Custom Certificates

Starting from this release, you can configure custom SSL/TLS certificates for your Self-hosted Private Cloud Director deployment. Previously, the system only used self-signed certificates generated during the deployment process.

Overview

By default, the system generates self-signed certificates during installation. You can now:

Use your own custom-signed certificates
Continue using automatically generated self-signed certificates

You can apply custom certificates during a new installation or update existing deployments using the renew-certs command.

Configure Custom Certificates During Installation

Prerequisites

A valid SSL/TLS certificate file (.crt)
A corresponding private key file (.key)
Read access to both files for the user running the configuration

Prepare your certificate files

Place your certificate and key files in an accessible location on your system.

Example:

service.crt   # Certificate file
service.key   # Private key file

Specify certificate paths

You can provide the certificate and key paths using either of these methods.

Option A: Export as environment variables

export USER_CERT_PATH="_path_to_service.crt"
export USER_KEY_PATH="_path_to_service.key"

Option B: Pass as command-line arguments

airctl configure {other_flags} \
--user-cert-path _path_to_service.crt \
--user-key-path _path_to_service.key

Verify the configuration

After you run the configuration command, verify that the certificate paths appear in the configuration file.

Check /opt/pf9/airctl/conf/airctl-config.yaml:

...
user_cert_path: _path_to_service.crt
user_key_path: _path_to_service.key
...

Expected outcome: The configuration file contains your specified certificate paths.

Updating the certs

Run the renew-certs command which will update the certs:

airctl renew-certs --config _opt_pf9_airctl_conf_airctl-config.yaml

Update Certificates on Existing Deployments

If you have an existing PCD deployment, you can replace the current certificates using the airctl renew-certs command.

Prerequisites

You have an existing PCD deployment
You have the new certificate and key files ready
You have access to the configuration file at /opt/pf9/airctl/conf/airctl-config.yaml

Update the configuration file

Set the new certificate paths using one of these methods:

Export environment variables (as shown in the installation section)
Use the airctl configure command with certificate path arguments
Edit /opt/pf9/airctl/conf/airctl-config.yaml directly

Keep all other configuration fields unchanged.

Verify the updated configuration

Check that /opt/pf9/airctl/conf/airctl-config.yaml reflects the new certificate paths:

certPath: _path_to_new_service.crt
certKeyPath: _path_to_new_service.key

Renew the certificates

Run the certificate renewal command:

airctl renew-certs --config _opt_pf9_airctl_conf_airctl-config.yaml

Expected outcome: The command updates the certificates in your deployment. You can switch from custom to self-signed certificates or from self-signed to custom certificates.

Important Notes

Ensure that your DU_FQDN environment variable or the duFqdn field in the airctl configuration file matches the domain specified in your certificates.
The user running configuration commands must have read access to the certificate files.
You can switch between custom and self-signed certificates at any time using the airctl renew-certs command.

PreviousDelete Orphaned Virtual Machine Entries NextAccept Certificate Authority

Was this helpful?

Good morning

hashtagOverview

hashtagConfigure Custom Certificates During Installation

hashtagPrepare your certificate files

hashtagSpecify certificate paths

hashtagVerify the configuration

hashtagUpdating the certs

hashtagUpdate Certificates on Existing Deployments

hashtagUpdate the configuration file

hashtagVerify the updated configuration

hashtagRenew the certificates