You can replace the certificate for the vCenter Cloud Gateway Appliance when the certificate expires or when you want to use a certificate from another certificate provider.

Prerequisites

Use this method of replacing the certificate only after Hybrid Linked Mode is enabled. If you need to replace the certificate on a vCenter Cloud Gateway Appliance without Hybrid Linked Mode enabled, see #GUID-BCF6FCFD-965C-4B18-B8B3-F5AB2F687D3A.

Generate certificate signing requests (CSRs) for each certificate you want to replace. Provide the CSR to your Certificate Authority. When the Certificate Authority returns the certificate, place it in a location that you can access from the vCenter Cloud Gateway Appliance.

Procedure

  1. In a web browser, go to http://cga-address/ui where cga-address is the IP address or FQDN of the vCenter Cloud Gateway Appliance.
  2. Log in with your on-premises credentials.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. Enter your credentials and click Login and Manage Certificates.
  5. On the Machine SSL Certificate, select Actions > Replace.
  6. Click the browse button on the Certificate Chain and provide the path of the certificate chain file.
    This file should contain the machine SSL certificate, the Root CA certificate, and the entire chain of trust.
  7. Click the browse button on the private key and provide the private key for the certificate.
  8. Click Replace.

What to do next

When the certificate is successfully replaced, restart all services on the vCenter Cloud Gateway Appliance. See https://kb.vmware.com/s/article/2109887.