After you use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates for the SDDC management components, replace the default VMware-signed certificate on vSphere Data Protection in Region B with the certificate that is generated by CertGenVVD.


  1. Log in to the vSphere Data Protection appliance.
    1. Open an SSH connection to the virtual machine  lax01m01vdp01.lax01.rainpole.local.
    2. Log in using the following credentials.



      User name




  2. Stop the vSphere Data Protection Web services by running the following command. --stop

    If you see errors related to the database server, ignore them.

  3. Delete the tomcat alias from the Java keystore by running the following command.
    /usr/java/latest/bin/keytool -delete -alias tomcat -storepass changeit
  4. Copy the .keystore file generated by the CertGenVVD tool to the /tmp folder on the vSphere Data Protection virtual appliance.

    You can use FileZilla or WinSCP.

  5. Run the following command to insert the new certification chain into the keystore
    keytool -importkeystore -srckeystore /tmp/.keystore --destkeystore /root/.keystore -srcstorepass changeit -deststorepass changeit 
  6. Run the following command and in the command output verify whether the certificate entry with the tomcat alias exists in the keystore.
    /usr/java/latest/bin/keytool -list -v -keystore /root/.keystore -storepass changeit -keypass changeit
  7. If the certificate entry exists in the keystore, run the script to update the vSphere Data Protection server thumbprint.
  8. Start the services by running the following command. --start
  9. Execute the following command to remove the /tmp/.keystore file
    rm /tmp/.keystore