Self-signed certificates can provide a convenient way to configure SSL for VMware Cloud Director in environments where trust concerns are minimal.

Each VMware Cloud Director server requires SSL certificates for the HTTPS service and for the console proxy service.

You use the cell-management-tool to create the self-signed SSL certificates. The cell-management-tool utility is installed on the cell before the configuration agent runs and after you run the installation file. See Install VMware Cloud Director on the First Member of a Server Group.

Important: These examples specify a 2048-bit key size, but you should evaluate your installation's security requirements before choosing an appropriate key size. Key sizes less than 1024 bits are no longer supported per NIST Special Publication 800-131A.


  1. Log in directly or by using an SSH client to the OS of the VMware Cloud Director server as root.
  2. Create a public and private key pair.
    /opt/vmware/vcloud-director/bin/cell-management-tool generate-certs --cert cert.pem --key cert.key --key-password passwd

    The command creates the certificate cert.pem that has the private key cert.key and the password passwd. The cell-management-tool creates the certificates by using the default values of the command. Depending on the DNS configuration of your environment, the Issuer CN is set to either the IP address or the FQDN for each service. The certificate uses the default 2048-bit key length and expires one year after creation.

    Important: The certificate file, private key file, and the directory in which they are stored must be readable by the user vcloud.vcloud. The VMware Cloud Director installer creates this user and group.

What to do next

Make note of the certificate and private key path names. You need these path names when you run the configuration script to create the network and database connections for the VMware Cloud Director cell. See Configure the Network and Database Connections.