If you have Cloud Proxy instances in the service provider environment that use different self-signed certificates than vCloud Director, you must update vSphere Replication appliances to trust them.

Repeat the following procedure for each Cloud Proxy instance in the service provider environment.


  1. Copy the self-signed certificate to the client vSphere Replication Appliance and load it into the keystore.
    1. Log in to vSphere Replication Appliance.
    2. Export the Cloud Proxy certificate and import it into the Java keystore:
      # openssl s_client -connect $CLOUD_PROXY_IP:443 </dev/null 2>/dev/null \
      | openssl x509 > /tmp/vcloud.pem
      # /usr/java/default/bin/keytool -noprompt \
      -import -trustcacerts -alias cloudproxy -file /tmp/vcloud.pem \
      -keystore /usr/java/default/lib/security/cacerts -storepass changeit

      Keytools can be on a different folder depending on the vSphere Replication release.

  2. Restart the services that use the keystore file by running the following commands.
    # service hms restart
    # service vmware-vcd restart