You can replace the certificate for the Cloud Gateway Appliance when the certificate expires or when you want to use a certificate from another certificate provider.

Important: If you have configured Hybrid Linked Mode on the Cloud Gateway Appliance, do not use this procedure to replace the certificate. Use the process in Replace the Certificate for the Cloud Gateway Appliance with Hybrid Linked Mode Enabled instead.


  1. Connect to the Cloud Gateway Appliance using SSH.
  2. Choose whether to use a self-signed certificate or one signed by a Certificate Authority (CA).
    Option Description
    Generate a self-signed certificate At the command line, type openssl req -x509 -newkey rsa:4096 -keyout server.pem -out cert.pem -days 365 -nodes to generate the certificate.
    Use a CA-signed certificate
    1. Generate a Certificate Signing Request (CSR) by typing openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.pem at the command line.
    2. Provide the CSR to your CA according to their request process.
    3. When you receive the certificate from your CA, place it in a location you can access from the Cloud Gateway Appliance.
  3. Append the cert.pem file that you generated or received from your CA to the server.pem file by typing cat cert.pem >> server.pem.
  4. Backup the old certificate by typing cp /etc/applmgmt/appliance/server.pem /etc/applmgmt/appliance/server.pem.bk.
  5. Replace the old certificate with the server.pem file that you created in Step 3 by typing mv server.pem /etc/applmgmt/appliance/.
  6. Type systemctl restart gps_envoy.service to restart the envoy service.
  7. If Cloud Foundation registration is enabled, type systemctl restart aap_envoy.service to restart the Atlas Agent Platform envoy service.