Use the generate-certs command of the cell management tool to generate self-signed SSL certificates for the HTTPS and Console Proxy endpoints.

Each VMware Cloud Director server group must support two SSL endpoints: one for the HTTPS service and another for the console proxy service. The HTTPS service endpoint supports the VMware Cloud Director Service Provider Admin Portal, the VMware Cloud Director Tenant Portal, and the VMware Cloud Director API. The remote console proxy endpoint supports VMRC connections to vApps and VMs.

The generate-certs command of the cell management tool automates the Create Self-Signed SSL Certificates for VMware Cloud Director on Linux procedure.

To generate new self-signed SSL certificates and add them to a new or existing keystore, use a command line with the following form:
cell-management-tool generate-certs options
Table 1. Cell Management Tool Options and Arguments, generate-certs Subcommand
Option Argument Description
--help (-h) None Provides a summary of available commands in this category.
--expiration (-x) days-until-expiration Number of days until the certificates expire. Defaults to 365
--issuer (-i) name=value [, name=value, ...] X.509 distinguished name of the certificate issuer. Defaults to CN=FQDN. where FQDN is the fully qualified domain name of the cell or its IP address if no fully qualified domain name is available. If you specify multiple attribute and value pairs, separate them with commas and enclose the entire argument in quotation marks.
--httpcert (-j) None Generate a certificate for the HTTPS endpoint.
--type (-t) keystore-type Format of the keystore. The default is PKCS12. You can also create a JCEKS keystore.
--key-size (-s) key-size Size of key pair expressed as an integer number of bits. Defaults to 2048. Key sizes smaller than 1024 are no longer supported per NIST Special Publication 800-131A.
--keystore-pwd (-w) keystore-password Password for the keystore on this host.
--out (-o) keystore-pathname Full pathname to the keystore on this host.
--consoleproxycert (-p) None Generate a certificate for the console proxy endpoint.
Note: To maintain compatibility with previous releases of this subcommand, omitting both -j and -p has the same result as supplying both -j and -p.

Creating Self-Signed Certificates

Both of these examples assume a keystore at /tmp/cell.ks that has the password kspw. This keystore is created if it does not already exist.

This example creates the new certificates using the defaults. The issuer name is set to CN=Unknown. The certificate uses the default 2048-bit key length and expires one year after creation.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool generate-certs -j -p -o /tmp/cell.ks -w kspw
New keystore created and written to /tmp/cell.ks.
This example creates a new certificate for the HTTPS endpoint only. It also specifies custom values for key size and issuer name. The issuer name is set to CN=Test, L=London, C=GB. The new certificate for the HTTPS connection has a 4096-bit key and expires 90 days after creation. The existing certificate for the console proxy endpoint is unaffected.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool generate-certs -j -o /tmp/cell.ks -w kspw
 -i "CN=Test, L=London, C=GB" -s 4096 -x 90
New keystore created and written to /tmp/cell.ks.
Important: The keystore file and the directory in which it is stored must be readable by the user vcloud.vcloud. The VMware Cloud Director installer creates this user and group.