Use the generate-certs command of the cell management tool to generate self-signed SSL certificates for the HTTPS endpoint.

Each VMware Cloud Director server group must support an endpoint for the HTTPS service. Starting with VMware Cloud Director 10.4, the console proxy traffic and HTTPS communications go over the default 443 port. The HTTPS service endpoint supports the VMware Cloud Director Service Provider Admin Portal, the VMware Cloud Director Tenant Portal, the VMware Cloud Director API, and the console proxy traffic related to VMRC connections to vApps and VMs.

Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.

For VMware Cloud Director 10.4, if you want to use the legacy implementation with a dedicated console proxy access point, you can enable the LegacyConsoleProxy feature from the Feature Flags settings menu under the Administration tab of the Service Provider Admin Portal. To enable the LegacyConsoleProxy feature, your installation or deployment must have console proxy settings configured in a previous version and transferred through a VMware Cloud Director upgrade. After enabling or deactivating the feature you must restart the cells. If you enable the legacy console proxy implementation, the console proxy must have a separate certificate. See the VMware Cloud Director 10.3 version of this document.

The generate-certs command of the cell management tool automates the Create Self-Signed SSL Certificates for VMware Cloud Director on Linux procedure.

To generate new self-signed SSL certificates, use a command line with the following form:
cell-management-tool generate-certs options
Table 1. Cell Management Tool Options and Arguments, generate-certs Subcommand
Option Argument Description
--help (-h) None Provides a summary of available commands in this category.
--expiration (-x) days-until-expiration Number of days until the certificates expire. Defaults to 365
--issuer (-i) name=value [, name=value, ...] X.509 distinguished name of the certificate issuer. Defaults to CN=FQDN. where FQDN is the fully qualified domain name of the cell or its IP address if no fully qualified domain name is available. If you specify multiple attribute and value pairs, separate them with commas and enclose the entire argument in quotation marks.
--key-size (-s) key-size Size of key pair expressed as an integer number of bits. Defaults to 2048. Key sizes smaller than 1024 are no longer supported per NIST Special Publication 800-131A.
--key-password key-password Password for the generated private key.
--cert cert Path to the generated PEM-encoded X.509 certificate file.
--key key Path to the generated PEM-encoded PKCS #8 private key file.

Creating Self-Signed Certificates

Both of these examples assume a certificate file at /tmp/cell.pem and a corresponding private key file at /tmp/cell.key that has the password kpw. These files are created if they do not exist already.

This example creates the new certificates using the defaults. The issuer name is set to CN=Unknown. The certificate uses the default 2048-bit key length and expires one year after creation.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool generate-certs --cert /tmp/cell.pem --key /tmp/cell.key --key-password kpw
New certificate created and written to /tmp/cell.pem
New private key created and written to /tmp/cell.key
This example specifies custom values for key size and issuer name. The issuer name is set to CN=Test, L=London, C=GB. The new certificate for the HTTPS connection has a 4096-bit key and expires 90 days after creation.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool generate-certs --cert /tmp/cell.pem --key /tmp/cell.key --key-password kpw -i "CN=Test, L=London, C=GB" -s 4096 -x 90
New certificate created and written to /tmp/cell.pem
New private key created and written to /tmp/cell.key
Important: The certificate and private key files, and the directory in which they are stored, must be readable by the user vcloud.vcloud. The VMware Cloud Director installer creates this user and group.