To prevent the Web browser from showing a certificate prompt every time a user opens the VMware Cloud Director Availability interface, you must upload an SSL certificate signed by a trusted certificate authority.


  • Verify that the new PKCS#12 (.pfx) certificate file and the private key use the same password.
  • Verify that the PKCS#12 file contains only one entry: the private key and its corresponding certificate and, optionally, the certificate trust chain. The trust chain must be part of the same keystore entry and must not be provided as separate entries in the PKCS#12 file.
  • Verify that the RSA key size is 2048-bit or larger.
  • Verify that the certificate does not use insecure hash algorithms, for example SHA1 and MD5.
  • If using a wildcard certificate, use it only for the Cloud Service. Do not use the same certificate for any other VMware Cloud Director Availability service. For more information about wildcard certificates, see Replacing VMware Cloud Director Availability Certificates.


  1. Log in to the VMware Cloud Director Availability management interface.
    1. In a Web browser, go to https://Appliance-IP-address/ui/admin.
    2. Select SSO login or Appliance login, and enter the single sign-on or the root user credentials.
    3. Click Login.
  2. In the left pane, click Configuration.
  3. Under Appliance settings, next to Certificate click Import.
  4. In the Import Certificate window, enter the certificate details and click Apply.
    1. Enter the password that protects the keystore and the certificate private key.
    2. Click Browse and select the PKCS#12 file.


After you upload the CA-signed certificate, all VMware Cloud Director Availability services that run on the same appliance restart.

What to do next

You can find the old certificate at /opt/vmware/h4/serviceType/config/keystore.p12.bak, where serviceType is cloud, manager, replicator, or tunnel.