You can change the initial vSphere Replication SSL certificate by generating a new self-signed certificate or uploading an SSL certificate signed by a trusted Certificate Authority.

vSphere Replication generates a standard SSL certificate when the appliance first boots and registers with vCenter Server. The vSphere Replication self-signed certificate expires after five years from the first boot of the appliance. When your certificate is due to expire in 30 days, you see a warning under Issues on the Site Pair tab of vSphere Replication. The default certificate policy uses trust by thumbprint.

You can change the SSL certificate, for example if your company's security policy requires that you use trust by validity and thumbprint or a certificate signed by a certification authority. You change the certificate by using the VRMS Appliance Management Interface of the vSphere Replication appliance. For information about the SSL certificates that vSphere Replication uses, see vSphere Replication Certificate Verification and Requirements When Using a Public Key Certificate with vSphere Replication.

See vSphere Replication Certificate Verification for details on how vSphere Replication handles certificates.


  • Verify that the vSphere Replication appliance is powered on.
  • Verify that you have administrator privileges to configure the vSphere Replication appliance.


  1. Use a supported browser to log in to the VRMS Appliance Management Interface.
    The URL for the VRMS Appliance Management Interface is https:// vr-appliance-address:5480.
  2. Enter the admin user name and password for the appliance.
    You configured the admin password during the OVF deployment of the vSphere Replication appliance.
  3. Click Certificates.
  4. (Optional) To enforce verification of a certificate validity, see How to Activate the Verification of Certificate Validity.
  5. Click on Change.
    Menu item Description
    Generate a self-signed certificate Use an automatically generated certificate.
    1. Enter text values for your organization and organization unit, typically your company name, and the name of your group in the company.
    2. Accept the default FQDN and IP values.
    Note: Using self-signed certificate is not recommended for production environments.
    Use a PKCS #12 certificate file Use a custom certificate.
    1. Click Browse, navigate to the certificate file, and click Open. The certificate file must contain exactly one certificate with exactly one private key matching the certificate.
    2. (Optional) Enter the optional private key encryption password.
    Use a CA-signed certificate generated from CSR Use a CA-signed certificate generated from a CSR.
    1. In the Certificate file row, click Browse, navigate to the certificate file, and click Open.
    2. (Optional) In the CA chain row, click Browse, navigate to the CA chain, and click Open.
  6. Click Change.
  7. Restart the vSphere Replication appliance.


You changed the SSL certificate and optionally changed the security policy to use trust by validity and certificates signed by a certificate authority.

Note: If you change a certificate on one of the source or target sites, the connection status to this site changes to Connection issue. In the vSphere Web Client, you can check the list of target sites under vSphere Replication on the Manage tab, and reconnect the sites.