You can replace the certificate for vCenter Cloud Gateway when the certificate expires or when you want to use a certificate from another certificate provider.

Important: If you have configured Hybrid Linked Mode on the vCenter Cloud Gateway, do not use this procedure to replace the certificate. Use the process in Replace the Certificate for the Cloud Gateway Appliance with Hybrid Linked Mode Enabled instead.


  1. Connect to vCenter Cloud Gateway using SSH.
  2. If you are using VMware Cloud on AWS, choose whether to use a self-signed certificate or one signed by a Certificate Authority (CA).
    Option Description
    Generate a self-signed certificate At the command line, type openssl req -x509 -newkey rsa:4096 -keyout server.pem -out cert.pem -days 365 -nodes to generate the certificate.
    Use a CA-signed certificate
    1. Generate a Certificate Signing Request (CSR) by typing openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.pem at the command line.
    2. Provide the CSR to your CA according to their request process.
    3. When you receive the certificate from your CA, place it in a location you can access from the vCenter Cloud Gateway.
  3. If you are using vSphere Advantage, use a CA-signed certificate. If it is not a well-known CA, ensure that the following parameters for the root CA are set as follows:
     X509v3 extensions:
                X509v3 Basic Constraints: critical
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
  4. Append the cert.pem file that you generated or received from your CA to the server.pem file by typing cat cert.pem >> server.pem.
  5. Backup the old certificate by typing cp /etc/applmgmt/appliance/server.pem /etc/applmgmt/appliance/server.pem.bk.
  6. Replace the old certificate with the server.pem file that you created in Step 4 by typing mv server.pem /etc/applmgmt/appliance/.
  7. Type systemctl restart gps_envoy.service to restart the envoy service.
  8. If Cloud Foundation registration is enabled, type systemctl restart aap_envoy.service to restart the Atlas Agent Platform envoy service.