The harbor service may regenerate the certificate used which will cause the connection to not be trusted. To prevent this, the root signing certificate should be the certificate to trust in the VCH creation.

When creating the VCH, use the root signing certificate in the --registry-ca option. Since the signing certificate does not change when the registry regenerates certificates, the trust will not be broken.
or more information, see

• Deploy a VCH for Use with vSphere Integrated Containers Registry
• Private Registry Options

To download the signing root certificate, log in to the VIC Appliance registry GUI as admin and click the admin username on the top right of the page and select download root certificate.

If the VCH is already deployed the trusted registry, certificate can be updated by the following step.

1. Upgrade the VCH 1.1.1 to 1.2 or later version. For more information, see Upgrade Virtual Container Hosts.
2. Run the vic-machine configure command to reconfigure the VCH by adding the needed registry certificate. For more information, see Add or Update Registry Server Certificates-