You can deploy the VMware Cloud Director appliance with signed wildcard certificates. You can use these certificates to secure an unlimited number of servers that are subdomains of the domain name listed in the certificate. The procedure for version 10.4 includes console proxy settings.

If you want to deployVMware Cloud Director appliance 10.4.1 or later, see Deploy the VMware Cloud Director Appliance 10.4.1 and Later with a Signed Wildcard Certificate for HTTPS Communication.

By default, when deploying VMware Cloud Director appliances, VMware Cloud Director generates self-signed certificates and uses them to configure the VMware Cloud Director cell for the HTTPS communication.

Starting with VMware Cloud Director 10.4, both the console proxy traffic and HTTPS communications go over the default 443 port. You do not need a separate certificate for the console proxy.

Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.

When you successfully deploy a primary appliance, the appliance configuration logic copies the file from the primary appliance to the common NFS shared transfer service storage at /opt/vmware/vcloud-director/data/transfer. Other appliances deployed for this VMware Cloud Director server group use this file to configure themselves automatically. The file includes a path to the SSL certificate and private key, which includes the auto-generated self-signed certificates user.certificate.path, private key user.key.path, console proxy certificates user.consoleproxy.certificate.path, and console proxy private key user.consoleproxy.key.path. By default, these paths are to PEM files which are local to each appliance.

Note: The key password that you use for the certificates must match the initial root password used when deploying all appliances.

After you deploy the primary appliance, you can reconfigure it to use signed certificates. For more information on creating the signed certificates, see Create and Import CA-Signed SSL Certificates for VMware Cloud Director Appliance 10.4.1 and Later.

If the signed certificates you use on the primary VMware Cloud Director appliance are wildcard signed certificates, these certificates can apply to all other appliances in the VMware Cloud Director server group, that is, standby cells and VMware Cloud Director application cells. You can use the deployment of the appliance with signed wildcard certificates for HTTPS and console proxy communication to configure the additional cells with the signed wildcard SSL certificates.


To verify that this is the relevant procedure for your environment needs, familiarize yourself with SSL Certificate Creation and Management of the VMware Cloud Director Appliance.


  1. Copy the user.http.pem, user.http.key, user.consoleproxy.pem, and user.consoleproxy.key files from the primary appliance to the transfer share at /opt/vmware/vcloud-director/data/transfer/.
  2. Change the owner and the group permissions on the certificate files to vcloud.
    chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.pem
    chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.key
    chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem
    chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key
  3. Verify that the owner of the certificate files has read and write permissions.
    chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.pem
    chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.key
    chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem
    chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key
  4. On the primary appliance, run the command to import the new signed certificates into the VMware Cloud Director instance.

    These commands also update the file in the transfer share, modifying the user.certificate.path, user.key.path, user.consoleproxy.certificate.path, and user.consoleproxy.key.path variables to point to the certificate files in the transfer share.

    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/data/transfer/user.http.pem --key /opt/vmware/vcloud-director/data/transfer/user.http.key --key-password root-password
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem --key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key --key-password root-password
  5. For the new signed certificates to take effect, restart the vmware-vcd service on the primary appliance.
    1. Run the command to stop the service.
      /opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s
    2. Run the command to start the service.
      systemctl start vmware-vcd
  6. Deploy the standby cell and application cell appliances, using the initial root password that matches the key password.


All newly deployed appliances that use the same NFS shared transfer service storage are configured with the same signed wildcard SSL certificates used by the primary appliance.