VMware Cloud Director uses SSL handshakes to secure communications between clients and servers.

Each VMware Cloud Director server must support two different SSL endpoints, one for HTTPS and one for console proxy communications.

In the VMware Cloud Director appliance, these two endpoints share the same IP address or hostname, but use two distinct ports - 443 for HTTPS and 8443 for console proxy communications. You can use the same certificate for both endpoints, for example, by using a wildcard certificate.

Signed certificates are signed by authorized Certificate Authorities (CA) and, as long as the local OS truststore has a copy of the root and of the intermediate certificates of the CA, they are trusted by browsers. Some CAs require that you submit the requirements for a certificate, others require you to submit a Certificate Signing Request (CSR). In both scenarios, you are creating a self-signed certificate, and you generate a CSR that is based on that certificate. The CA signs your certificate with their private key, which you can then decrypt with your copy of their public key, and establish a trust.

When you renew an expired SSL certificate, you don't need to provide VMware Cloud Director with any data about the expired certificate. This means that after you import the required SSL certificates into the VMware Cloud Director appliance, you don't need to back them up.

Starting with VMware Cloud Director 10.2.2, you can import PEM files directly into the VMware Cloud Director appliance. If your certificate files are in another format, you can use OpenSSL to convert them to PEM before importing them to VMware Cloud Director with the cell management tool.

Workflow for converting certificate files. The files must be in .key and .pem format before importing them to the VMware Cloud Director appliance by using the Cell Management Tool.

Depending on your environment needs, choose one of the following options.