Prerequisites

• Access to the vSphere Replication Appliance (VAMI)
• Root credentials for the replication appliance
• Root or administrative access to the vCenter Server Appliance (VCSA)
• vCenter administrative credentials (administrator@vsphere.local)

Step 1: Generate a CSR from the Replication Appliance

1. Open a web browser and access the VAMI interface:

   https://<VR_Appliance_FQDN_or_IP>:5480

2. Log in using the root account.
3. Navigate to the Certificates tab.
4. Select Generate CSR.
5. Enter the required details:
   • Organization
   • Organizational Unit
   • State and Locality
6. Accept the default FQDN and IP values unless changes are required.
7. Click Generate and Download to save:
   • .csr file (certificate signing request)
   • .key file (private key)

Important: Keep the private key file secure. It is required for certificate installation.

Step 2: Sign the CSR Using vCenter VMCA

Option A: Using vCenter Certificate Manager (CLI)

1. SSH into the vCenter Server Appliance (VCSA).
2. Log in as root.
3. Enable the Bash shell:

   shell

4. Launch the certificate manager:

   /usr/lib/vmware-vmca/bin/certificate-manager

5. Select the option to sign a custom certificate request and follow the prompts.

Option B: Using vSphere Web Client (Recommended)

1. Log in to vCenter.
2. Navigate to:

   Administration → Certificates → Certificate Management

3. Select VMCA Root Certificate.
4. Click Issue New Leaf Certificate.
5. Upload the previously generated CSR file.
6. Download:
   • Signed certificate (leaf certificate)
   • VMCA root certificate

Step 3: Install the Signed Certificate on the Replication Appliance

1. Return to the replication appliance VAMI interface.
2. Navigate to Certificates.
3. Select:

   Appliance Certificate → Change

4. Choose: Use a CA-signed certificate generated from CSR
5. Upload the following files:
   • Signed certificate (leaf certificate)
   • VMCA root certificate
   • Private key file generated earlier
6. Note: Ensure your file browser shows all file types (not just PEM files).
7. Apply the configuration.

Step 4: Reconfigure the Appliance

After uploading the certificates, the appliance will require reconfiguration.

• Provide vCenter administrator credentials (administrator@vsphere.local)
• Allow the appliance to complete certificate installation and service updates

Verification

• Access the replication appliance UI and confirm no certificate warnings
• Verify certificate details from the browser (issuer should be VMCA)
• Confirm replication services are operational

Best Practices

• Always back up the appliance before modifying certificates
• Ensure time synchronization between vCenter and appliances
• Store private keys securely
• Use VMCA or enterprise CA consistently across infrastructure