You can replace the certificate for the Cloud Gateway Appliance when the certificate expires or when you want to use a certificate from another certificate provider.


Use this method of replacing the certificate only after Hybrid Linked Mode is enabled. If you need to replace the certificate on a Cloud Gateway Appliance without Hybrid Linked Mode enabled, see Replace the Certificate for the vCenter Cloud Gateway.

Generate certificate signing requests (CSRs) for each certificate you want to replace. Provide the CSR to your Certificate Authority. When the Certificate Authority returns the certificate, place it in a location that you can access from the Cloud Gateway Appliance.


  1. In a web browser, go to http://cga-address/ui where cga-address is the IP address or FQDN of the Cloud Gateway Appliance.
  2. Log in with your on-premises credentials.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. Enter your credentials and click Login and Manage Certificates.
  5. On the Machine SSL Certificate, select Actions > Replace.
  6. Click the browse button on the Certificate Chain and provide the path of the certificate chain file.
    This file should contain the machine SSL certificate, the Root CA certificate, and the entire chain of trust.
  7. Click the browse button on the private key and provide the private key for the certificate.
  8. Click Replace.

What to do next

When the certificate is successfully replaced, restart all services on the Cloud Gateway Appliance. See