If you have Cloud Proxy instances in the service provider environment that use different self-signed certificates than vCloud Director, you must update vSphere Replication appliances to trust them.

Repeat the following procedure for each Cloud Proxy instance in the service provider environment.


  1. Copy the self-signed certificate to the client vSphere Replication Appliance and load it into the keystore.
    1. Log in to vSphere Replication Appliance.
    2. Export the Cloud Proxy certificate and import it into the Java keystore:
      # openssl s_client -connect $CLOUD_PROXY_IP:443 </dev/null 2>/dev/null \
      | openssl x509 > /tmp/vcloud.pem
      # /usr/java/default/bin/keytool -noprompt \
      -import -trustcacerts -alias cloudproxy -file /tmp/vcloud.pem \
      -keystore /usr/java/default/lib/security/cacerts -storepass changeit

      Keytool is stored in a different folder depending on the vSphere Replication release.

  2. Restart the services that use the keystore file.
    1. Restart the vSphere Replication Manager service by running the following command.
      # service hms restart
    2. Restart the vCloud Tunneling Agent service.
      • For vSphere Replication 8.1.1, run the following command.

        # service vcta restart
      • For earlier vSphere Replication versions, run the following command.

        # service vmware-vcd restart