SSL Certificate Creation and Management of the VMware Cloud Director Appliance

VMware Cloud Director uses SSL handshakes to secure communications between clients and servers.

Starting with VMware Cloud Director 10.4, the console proxy uses the same IP address and port as the REST API. The console proxy and REST API use a single certificate. Because of the unified access point, customizing the VMware Cloud Director public console proxy address is no longer necessary.

Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.

In VMware Cloud Director 10.4, if you want to use the legacy implementation with a dedicated console proxy access point, you can enable the LegacyConsoleProxy feature from the Feature Flags settings menu under the Administration tab of the VMware Cloud Director Service Provider Admin Portal. To enable the LegacyConsoleProxy feature, your installation or deployment must have console proxy settings configured in a previous version and transferred through a VMware Cloud Director upgrade. After enabling or deactivating the feature you must restart the cells.

For VMware Cloud Director 10.4, if you enable the legacy console proxy implementation, you must configure the VMware Cloud Director public console proxy address, because each VMware Cloud Director server must support two different SSL endpoints, one for HTTPS and one for console proxy communications and the appliance uses a single IP address with custom port 8443 for the console proxy service. See the VMware Cloud Director 10.3 version of this document.

Signed certificates are signed by authorized Certificate Authorities (CA) and, as long as the local OS truststore has a copy of the root and of the intermediate certificates of the CA, they are trusted by browsers. Some CAs require that you submit the requirements for a certificate, others require you to submit a Certificate Signing Request (CSR). In both scenarios, you are creating a self-signed certificate, and you generate a CSR that is based on that certificate. The CA signs your certificate with their private key, which you can then decrypt with your copy of their public key, and establish a trust.

When you renew an expired SSL certificate, you don't need to provide VMware Cloud Director with any data about the expired certificate. This means that after you import the required SSL certificates into the VMware Cloud Director appliance, you don't need to back them up.

Starting with VMware Cloud Director 10.2.2, you can import PEM files directly into the VMware Cloud Director appliance. If your certificate files are in another format, you can use OpenSSL to convert them to PEM before importing them to VMware Cloud Director with the cell management tool.

You can import the .key and .pem certificate files to the appliance by using the cell management tool.

Depending on your environment needs, choose one of the following options.

If you want to deploy a VMware Cloud Director with signed wildcard certificates, see Deploy the VMware Cloud Director Appliance 10.4.1 and Later with a Signed Wildcard Certificate for HTTPS Communication.
If you want to replace the self-signed certificates of a newly deployed appliance with CA-signed certificates. see Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance 10.4.1 and Later.
If you want to create CA-signed certificates and import them to the VMware Cloud Director appliance, see Create and Import CA-Signed SSL Certificates for VMware Cloud Director Appliance 10.4.1 and Later.
If you want to renew the certificates for HTTPS communication of VMware Cloud Director, as well as for the embedded PostgreSQL database and theVMware Cloud Director appliance management UI, see Renew the VMware Cloud Director Appliance Certificates for Version 10.4.1 and Later.