The certificate of your backend will usually not be automatically available to the vSphere Client server, unless it is signed by a trusted authority.

You don't need the certificate installed. What you can do, instead, is pass known thumbprints to the Apache HTTP client (or whatever other library you are using to send the requests).

The actual thumbprint of your backend should be registered in your vCenter extension - add a new record under vim.ExtensionManager.extensionList[your-extension].server and populate the serverThumbprint field. If you're providing the client plugin from the same server, the thumbprint should be populated already. For more details on the VC ExtensionManager API see http://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssdk.apiref.doc/vim.ExtensionManager.html.

The extension is registered in the extension manager 

it has populated serverThumbprint  in the vim.ExtensionManager.extensionList[my-extension].server (see attachment)

but when my java code doing a rest requests to the server it always gets an exeption:

com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Hi,

Since you are making rest calls to your back end server, the issue is most probably not related to the vSphere but to your server certificate configurations.

You may try to fix the problem using the steps provided here: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-fail...

Denis