You can replace your signed certificates when they expire or substitute the default certificates with CA-signed certificates.

By default, Unified Access Gateway uses a self-signed TLS server certificate. For production environments, VMware strongly recommends that you replace the default self-signed certificate with a trusted CA signed certificate for your environment.

Note the following considerations when you upload a certificate:
  • You can replace the default certificate with a PEM certificate for both the administrator and the user.
  • When you upload a CA-signed certificate on the admin interface, the TLS connector on the admin interface is updated and restarted to ensure the uploaded certificate takes effect. If the connector fails to restart with the uploaded CA-signed certificate, a self-signed certificate is generated and applied on the admin interface and the user is notified that the previous attempt to upload a certificate was unsuccessful.
    Note: With PowerShell deployment of Unified Access Gateway the TLS server certificate can be specified. It is not necessary to replace it manually.



  1. In the Configure Manually section of the Unified Access Gateway admin UI, click Select.
  2. In the Advanced Settings section, click the TLS Server Certificate Settings gearbox icon.
  3. Select either Admin Interface or Internet Interface to apply the certificate to either of the interfaces. You can also select both to apply the certificate to both the interfaces.
  4. Select a Certificate Type of PEM or PFX.
  5. If the Certificate Type is PEM:
    1. In the Private Key row, click Select and browse to the private key file.
    2. Click Open to upload the file.
    3. In the Certificate Chain row, click Select and browse to the certificate chain file.
    4. Click Open to upload the file.
  6. If the Certificate Type is PFX:
    1. In the Upload PFX row, click Select and browse to the pfx file.
    2. Click Open to upload the file.
    3. Enter the password of the PFX certificate.
    4. Enter an alias for the PFX certificate.
      You can use the alias to distinguish when multiple certificates are present.
  7. Click Save.


A confirmation message is displayed when the certificate is updated successfully.