The other day I had to pull off the SSL certs for the vCSA and I was struggling to connect to the appliance even after enabling SSH and Bash shell access from within the VAMI.
Turns out a bit more configuration is required before you can connect to the vCSA via SCP and this is mainly due to the vCSA having 2 shells – Appliance shell and Bash shell.
What you need to do is change the default shell in the vCSA to Bash… have a look at the following KB for the solution steps: http://kb.vmware.com/kb/2107727
BTW, in case you didn’t know where the SSL cert for the vCSA resides, you’ll find it here:
/etc/vmware-vpx/ssl/rui.crt
The Virtual Unknown 