diff --git a/vmware_nsx/shell/admin/plugins/nsxv/resources/migration.py b/vmware_nsx/shell/admin/plugins/nsxv/resources/migration.py
index 80ff0b4c69..33f1bb41dd 100644
--- a/vmware_nsx/shell/admin/plugins/nsxv/resources/migration.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/migration.py
@@ -12,7 +12,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import os
 import sys
 
 import netaddr
@@ -509,17 +508,6 @@ def _validate_l2gw(admin_context):
                       "supported." % (len(l2gws), [l2gw.id for l2gw in l2gws]))
 
 
-def _ensure_ca_file():
-    # Ensure CA file is used if /etc/ssl/certs/vcenter.pem exists
-    # otherwise secure connection to vcenter will fail
-    if not cfg.CONF.dvs.ca_file:
-        ca_file_default = "/etc/ssl/certs/vcenter.pem"
-        if os.path.isfile(ca_file_default):
-            LOG.info("ca_file for vCenter unset, defaulting to: %s",
-                     ca_file_default)
-            cfg.CONF.set_override('ca_file', ca_file_default, 'dvs')
-
-
 def _validate_config():
     # General config options / per AZ which are unsupported
     config.register_nsxv_azs(cfg.CONF, cfg.CONF.nsxv.availability_zones)
@@ -548,7 +536,6 @@ def validate_config_for_migration(resource, event, trigger, **kwargs):
             transit_networks = [transit_network]
         strict = bool(properties.get('strict', 'false').lower() == 'true')
         out_file = properties.get('summary-file-name')
-    _ensure_ca_file()
     LOG.info("Running migration config validation in %sstrict mode",
              '' if strict else 'non-')
 
@@ -564,7 +551,6 @@ def validate_config_for_migration(resource, event, trigger, **kwargs):
     admin_context = n_context.get_admin_context()
 
     _validate_config()
-    _ensure_ca_file()
 
     try:
         with utils.NsxVPluginWrapper() as plugin:
@@ -637,7 +623,6 @@ def list_ports_vif_ids(resource, event, trigger, **kwargs):
     admin_context = n_context.get_admin_context()
     table_results = []
     map_results = {}
-    _ensure_ca_file()
 
     with utils.NsxVPluginWrapper() as plugin:
         neutron_ports = plugin.get_ports(admin_context)
diff --git a/vmware_nsx/shell/admin/plugins/nsxv/resources/utils.py b/vmware_nsx/shell/admin/plugins/nsxv/resources/utils.py
index 6516a65f1d..6938767145 100644
--- a/vmware_nsx/shell/admin/plugins/nsxv/resources/utils.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/utils.py
@@ -12,6 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import os
 import time
 import xml.etree.ElementTree as et
 
@@ -58,10 +59,21 @@ class NeutronDbClient(object):
 
 class NsxVPluginWrapper(plugin.NsxVPlugin):
 
+    def _ensure_ca_file(self):
+        # Ensure CA file is used if /etc/ssl/certs/vcenter.pem exists
+        # otherwise secure connection to vcenter will fail
+        if not cfg.CONF.dvs.ca_file:
+            ca_file_default = "/etc/ssl/certs/vcenter.pem"
+            if os.path.isfile(ca_file_default):
+                LOG.info("ca_file for vCenter unset, defaulting to: %s",
+                        ca_file_default)
+                cfg.CONF.set_override('ca_file', ca_file_default, 'dvs')
+
     def __init__(self):
         config.register_nsxv_azs(cfg.CONF, cfg.CONF.nsxv.availability_zones)
         self.context = neutron_context.get_admin_context()
         self.filters = get_plugin_filters(self.context)
+        self._ensure_ca_file()
         super(NsxVPluginWrapper, self).__init__()
         # Make this the core plugin
         directory.add_plugin('CORE', self)