By using a self-signed certificate in the tenant configuration, you ensure security and encryption for tenant deployments.

If the service provider vCloud Director instances use a self-signed certificate, you must update the tenant vSphere Replication appliances to trust the self-signed certificate, by completing the following steps.


The following procedure contains long, single commands that should be run as one. There are breaks in the command for better visibility marked with "\". "#" marks the beginning of a new command.


  1. Copy the self-signed certificate to the client vSphere Replication Appliance and load it into the keystore.
    1. Log in to vSphere Replication Appliance using the remote console
    2. Export the vCloud Director certificate and import it into the Java keystore:
      # openssl s_client -connect $VCD_IP:443 -tls1 </dev/null 2>/dev/null \
      | openssl x509 > /tmp/vcloud.pem
      # /usr/java/default/bin/keytool -noprompt \
      -import -trustcacerts -alias vcloud -file /tmp/vcloud.pem \
      -keystore /usr/java/default/lib/security/cacerts -storepass changeit

      Keytools may be located on a different folder depending on the vSphere Replication release.

  2. Restart the services that use the keystore file by running the following commands.
    # service hms restart
    # service vmware-vcd restart