Creating and importing CA-signed certificates provides the highest level of trust for SSL communications and helps you secure the connections within your cloud infrastructure.

Each VMware Cloud Director server must support two different SSL endpoints, one for HTTPS and one for console proxy communications.

Important: If you are using separate IP addresses for the HTTPS service and for the console proxy service, you must complete this procedure once for the IP address for the HTTPS service and again for the IP address for the console proxy service.

The two endpoints can be separate IP addresses or a single IP address with two different ports. You can use the same certificate for both endpoints, for example, by using a wildcard certificate.

Certificates for both endpoints must include an X.500 distinguished name and X.509 Subject Alternative Name extension.

You can use certificates signed by a trusted certificate authority(CA) or self-signed certificates.

You use the cell-management-tool to create the self-signed SSL certificates. The cell-management-tool utility is installed on the cell before the configuration agent runs and after you run the installation file. See Install VMware Cloud Director on the First Member of a Server Group.

Important: These examples specify a 2048-bit key size, but you should evaluate your installation's security requirements before choosing an appropriate key size. Key sizes less than 1024 bits are no longer supported per NIST Special Publication 800-131A.



  1. Log in directly or by using an SSH client to the OS of the VMware Cloud Director server cell as root.
  2. Depending on your environment needs, choose one of the following options.
    • If you have your own private key and CA-signed certificate files, skip to Step 6.
    • If you want to generate new certificates with custom options, such as a greater key size, continue to Step 3.
  3. Run the command to create a public and private key pair for the HTTPS service and for the console proxy service.
    /opt/vmware/vcloud-director/bin/cell-management-tool generate-certs --cert cert.pem --key cert.key --key-password key_password

    The command creates or overwrites a certificate file at cert.pem and the private key file at cert.key with the specified password. Certificates are created using the command's default values. Depending on the DNS configuration of your environment, the Issuer CN is set to either the IP address or the FQDN for each service. The certificate uses the default 2048-bit key length and expires one year after creation.

    Important: The certificate file, private key file, and the directory in which they are stored must be readable by the user vcloud.vcloud. The VMware Cloud Director and the directory in which it is stored must be readable by the user vcloud.vcloud. The VMware Cloud Director installer creates this user and group.
  4. Create a certificate signing request in the cert.csr file.
    openssl req -new -key cert.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\,DNS:vcd2,IP:\n")) -out cert.csr
  5. Send the certificate signing requests to your Certificate Authority.
    If your certification authority requires you to specify a Web server type, use Jakarta Tomcat.
    You obtain the CA-signed certificates.
  6. Run the command to append the root CA-signed certificate and any intermediate certificates to the certificate you generated in Step 2.
    cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer >> cert.pem
  7. Repeat this procedure on all VMware Cloud Director servers in the server group.

What to do next

  • If you have not yet configured your VMware Cloud Director instance, run the configure script to import the certificates to VMware Cloud Director. See Configure the Network and Database Connections.
    Note: If you created the cert.pem or cert.key certificate files on a computer other than the server on which you generated the list of fully qualified domain names and their associated IP addresses, copy the cert.pem and cert.key files to that server now. You need the certificate and private key path names when you run the configuration script.
  • If you have already installed and configured your VMware Cloud Director instance, use the certificates command of the cell management tool to import the certificates. See Replacing Certificates for the HTTPS and Console Proxy Endpoints.