This article provides steps for manually adding a necessary certificate on the Azure Management Proxy (formerly Cloud Proxy), so the customer's self-signed certificate will be trusted.

When calling the API - "/csp/gateway/am/api/auth/api-tokens/authorize" towards the Management Proxy endpoint, the following error message is encountered the "Error during SSL Handshake with remote server" in the /storage/log/var/log/httpd-south/error.log file.
As per the design, the API requests to Management Proxy for the "/csp/gateway/am/api/auth/api-tokens/authorize" endpoint are received and reverse-proxied by http-south towards the CSP endpoint "console.cloud.vmware.com".
Upon inspection of the SSL certificate chain between the Management Proxy and CSP, it was identified that the SSL termination/inspection is happening in customer's network. As part of it there is a custom self-signed certificate provided to the Management Proxy, which is not trusted by default.

1. Put your certificate's .pem file in this directory: /etc/ssl/certs/
2. Adjust its permissions by executing the command: chmod 644 <cert.pem>
3. Retrieve the hash of your .pem file with the following command: openssl x509 -hash -noout -in <cert.pem>
4. Use the hash obtained from the previous command to generate a symlink to the file by running: ln -s <cert.pem> <hash>.0

Note: After Management Proxy upgrades, the symlink should be created again, as it might be removed in some cases.