If the service provider vCloud Director instances use a self-signed certificate, you must update the on-premise vSphere Replication appliances to trust the self-signed certificate. By using a self-signed certificate in the tenant configuration, you ensure security and encryption for tenant deployments.


The following procedure contains long, single commands that should be run as one. There are breaks in the command for better visibility marked with "\". "#" marks the beginning of a new command.


Make sure that SSH is enabled on your vSphere Replication Appliance. For more information, see https://kb.vmware.com/s/article/2112307.


  1. Copy the self-signed certificate to the client vSphere Replication Appliance and load it into the keystore.
    1. Log in to vSphere Replication Appliance.
    2. Export the vCloud Director certificate and import it into the Java keystore:
      # openssl s_client -connect $CLOUD_PROXY_IP:443 </dev/null 2>/dev/null \
      | openssl x509 > /tmp/vcloud.pem
      # /usr/java/default/bin/keytool -noprompt \
      -import -trustcacerts -alias cloudproxy -file /tmp/vcloud.pem \
      -keystore /usr/java/default/lib/security/cacerts -storepass changeit

      Keytools can be on a different folder depending on the vSphere Replication release.

  2. Restart the services that use the keystore file by running the following commands.
    # service hms restart
    # service vmware-vcd restart