# Using Custom Certificates Starting from this release, you can configure custom SSL/TLS certificates for your Self-hosted Private Cloud Director deployment. Previously, the system only used self-signed certificates generated during the deployment process. ### Overview By default, the system generates self-signed certificates during installation. You can now: * Use your own custom-signed certificates * Continue using automatically generated self-signed certificates You can apply custom certificates during a new installation or update existing deployments using the `renew-certs` command. ### Configure Custom Certificates During Installation Prerequisites * A valid SSL/TLS certificate file (`.crt`) * A corresponding private key file (`.key`) * Read access to both files for the user running the configuration {% stepper %} {% step %} #### Prepare your certificate files Place your certificate and key files in an accessible location on your system. Example: ```bash service.crt # Certificate file service.key # Private key file ``` {% endstep %} {% step %} #### Specify certificate paths You can provide the certificate and key paths using either of these methods. Option A: Export as environment variables ```bash export USER_CERT_PATH="_path_to_service.crt" export USER_KEY_PATH="_path_to_service.key" ``` Option B: Pass as command-line arguments ```bash airctl configure {other_flags} \ --user-cert-path _path_to_service.crt \ --user-key-path _path_to_service.key ``` {% endstep %} {% step %} #### Verify the configuration After you run the configuration command, verify that the certificate paths appear in the configuration file. Check `/opt/pf9/airctl/conf/airctl-config.yaml`: ```yaml ... user_cert_path: _path_to_service.crt user_key_path: _path_to_service.key ... ``` Expected outcome: The configuration file contains your specified certificate paths. {% endstep %} {% step %} #### Updating the certs Run the renew-certs command which will update the certs: ```bash airctl renew-certs --config _opt_pf9_airctl_conf_airctl-config.yaml ``` {% endstep %} {% endstepper %} ### Update Certificates on Existing Deployments If you have an existing PCD deployment, you can replace the current certificates using the `airctl renew-certs` command. Prerequisites * You have an existing PCD deployment * You have the new certificate and key files ready * You have access to the configuration file at `/opt/pf9/airctl/conf/airctl-config.yaml` {% stepper %} {% step %} #### Update the configuration file Set the new certificate paths using one of these methods: * Export environment variables (as shown in the installation section) * Use the `airctl configure` command with certificate path arguments * Edit `/opt/pf9/airctl/conf/airctl-config.yaml` directly > Keep all other configuration fields unchanged. > {% endstep %} {% step %} #### Verify the updated configuration Check that `/opt/pf9/airctl/conf/airctl-config.yaml` reflects the new certificate paths: ```yaml certPath: _path_to_new_service.crt certKeyPath: _path_to_new_service.key ``` {% endstep %} {% step %} #### Renew the certificates Run the certificate renewal command: ```bash airctl renew-certs --config _opt_pf9_airctl_conf_airctl-config.yaml ``` Expected outcome: The command updates the certificates in your deployment. You can switch from custom to self-signed certificates or from self-signed to custom certificates. {% endstep %} {% endstepper %} {% hint style="info" %} Important Notes * Ensure that your `DU_FQDN` environment variable or the `duFqdn` field in the airctl configuration file matches the domain specified in your certificates. * The user running configuration commands must have read access to the certificate files. * You can switch between custom and self-signed certificates at any time using the `airctl renew-certs` command. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.platform9.com/private-cloud-director/getting-started/self-hosted/using-custom-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.