By using a certificate in the tenant configuration, you ensure security and encryption for tenant deployments. If the service provider vCloud Director instances use a self-signed certificate, you must update the on-premise vSphere Replication appliances to trust the self-signed certificate.

Note:

The following procedure contains long, single commands that should be run as one. There are breaks in the command for better visibility marked with "\". "#" marks the beginning of a new command.

Prerequisites

Make sure that SSH is enabled on your vSphere Replication Appliance. For more information, see https://kb.vmware.com/s/article/2112307.

Procedure

  1. Export the vCloud Director self-signed certificate and import it into the vSphere Replication Appliance keystore.
    1. Log in to vSphere Replication Appliance.
    2. Back up the appliance keystore by running the following command.
      # cp /usr/java/default/lib/security/cacerts /usr/java/default/lib/security/cacerts.bak
    3. Export the vCloud Director self-signed certificate by running the following command.
      # openssl s_client -connect vCD-IP:443 </dev/null 2>/dev/null \
      | openssl x509 > /tmp/vcloud.pem
      
    4. Import the vCloud Director self-signed certificate into the vSphere Replication Appliance keystore by running the following command.
      # /usr/java/default/bin/keytool -noprompt \
      -import -trustcacerts -alias cloudproxy -file /tmp/vcloud.pem \
      -keystore /usr/java/default/lib/security/cacerts -storepass changeit
      Note:

      The keytool can be located in a different folder depending on the vSphere Replication release.

  2. Restart the services that use the keystore file by running the following commands.
    # service hms restart
    
    # service vmware-vcd restart