By default, VMware Cloud Gateway uses the self-signed certificate that gets generated during the installation. You can replace the certificate when the certificate expires or when you want to use a certificate from another certificate provider. You can use either a self-signed certificate or a certificate signed by a Certificate Authority (CA).

Important: If you have configured Hybrid Linked Mode on VMware Cloud Gateway, do not use this procedure to replace the certificate. Use the process in Replace the Certificate for the Cloud Gateway Appliance with Hybrid Linked Mode Enabled instead.


  1. Connect to VMware Cloud Gateway using SSH.
  2. For a self-signed certificate, generate the certificate by typing the following command at the command line:
    openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes
  3. For a CA-signed certificate, generate the certificate by performing the following steps:
    1. Generate a Certificate Signing Request (CSR) by typing the following command at the command line:
      openssl req -new -newkey rsa:4096 -nodes -out server.csr -keyout server.key
    2. Provide the CSR to your CA according to their request process.
    3. When you receive the certificate from your CA, place it in a location you can access from the VMware Cloud Gateway.
    4. If it is not a well-known CA, ensure that the following parameters for the root CA are set as follows:
       X509v3 extensions:
                  X509v3 Basic Constraints: critical
                  X509v3 Key Usage: critical
                      Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
      Note: Set Key Encipherment on the endpoint/machine SSL certificate.
    5. Obtain the following files from the CA:
      • server.key: VMware Cloud Gateway private key.
      • server.crt: CA signed VMware Cloud Gateway leaf certificate and all intermediate CA certificates (if any).
      • rootCA.pem: the root CA certificate in the certificate chain.
  4. Generate the server.pem file, which is the full certificate chain including server.crt, all intermediate CAs (if any), and the private key (server.key) by typing the following command:
    cat server.crt server.key > server.pem
    The server.pem must include the details in the following order:
  5. If you are using a self-signed certificate, copy the contents of the new server.crt file to rootCA.pem by typing the following command:
    cp server.crt rootCA.pem
  6. Back up the existing server.pem and rootCA.pem in the /etc/applmgmt/appliance directory by typing the following commands:
    cp -p /etc/applmgmt/appliance/server.pem /etc/applmgmt/appliance/server.pem.bak
    cp -p /etc/applmgmt/appliance/rootCA.pem /etc/applmgmt/appliance/rootCA.pem.bak
  7. Replace server.pem and rootCA.pem using the new files by typing the following command:
    cp -p server.pem rootCA.pem /etc/applmgmt/appliance/
  8. Restart the following services in the same order:
    systemctl restart gps_envoy.service
    systemctl restart aap_envoy.service
    systemctl restart rsyslog.service
  9. Restart the aca_watchdog service to restart all the VAP agents that are running.
    systemctl restart aca_watchdog.service