Regenerate the Cloud Service self-signed SSL certificate or import a CA-signed certificate. With the new certificate, reestablish the trust with the local Tunnel Service and re-pair all cloud sites.

1. Log in to the management interface of the Cloud Replication Management Appliance.
   1. In a Web browser, go to https://Appliance-IP-Address/ui/admin.
   2. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
   3. Click Login.
2. Replace the certificate of the Cloud Service.
   1. In the left pane, click Configuration.
   2. Under Appliance settings next to Certificate, select the certificate replacement method.

      Option	Description
      Import	Upload a CA-signed certificate.
      Regenerate	Generate a new self-signed certificate.

   3. Click Apply.
      Cloud Service creates a copy of the old certificate at /opt/vmware/h4/cloud/config/keystore.p12.bak. You are logged out and the services automatically restart in a few minutes.
3. Log in to the management interface of the Cloud Replication Management Appliance.
   1. In a Web browser, go to https://Appliance-IP-Address/ui/admin.
   2. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
   3. Click Login.
4. Trust the new certificate of the Cloud Service in the Tunnel Service.
   1. In the left pane, click Configuration.
   2. Under Service endpoints, next to Tunnel address click Edit.
   3. In the Tunneling Settings window, enter the Tunnel Service root user credentials and click Apply.
   4. To complete the trust reestablishment, accept the local Tunnel Service SSL certificate.
5. Trust the new Cloud Service certificate in the paired cloud sites.
   1. In the left pane, click Sites.
   2. Select a cloud site and click Repair.
   3. In the Update Pairing window, click Update.
   4. To complete the trust reestablishment, accept the remote Cloud Service SSL certificate.
   Note: Repeat this step and select to re-pair the remaining cloud sites.