Replace the certificate on vSphere Data Protection in Region A with the certificate that is signed by the Microsoft CA on the dc01sfo.sfo01.rainpole.local AD server.


  1. On the Windows host that has access to the data center, copy the vdp.p7b certificate file to the /root folder on the vSphere Data Protection virtual appliance.

    You can use scp, FileZilla or WinSCP.

  2. Log in to the vSphere Data Protection appliance.
    1. Open an SSH connection to the virtual machine mgmt01vdp01.sfo01.rainpole.local.
    2. Log in using the following credentials.



      User name




  3. Verify that the vSphere Data Protection services are stopped. --test

    If the services are running, stop them by running the following command. --stop
  4. Import the certificate in the vSphere Data Protection keystore.
    1. Run the following console command.
      /usr/java/latest/bin/keytool -import -alias tomcat -keystore /root/.keystore -file /root/vdp.p7b
    2. When prompted for the keystore password, enter changeit.
    3. When prompted to trust the certificate, type yes and press Enter.

  5. Verify that the certificate is installed successfully. 
    1. Run the following command.
      /usr/java/latest/bin/keytool -list -v -keystore /root/.keystore -storepass changeit -keypass changeit | grep tomcat
    2. Verify that the output contains Alias name: tomcat

  6. Run the script to update the vSphere Data Protection server thumbprint that is displayed in the VM console welcome screen.

    This script does not return any output.

  7. Start the vSphere Data Protection services. --start