If you have your own private key and CA-signed certificate files, importing them into your VMware Cloud Director environment provides the highest level of trust for SSL communications and helps you secure the connections within your cloud infrastructure.

Important: Starting with VMware Cloud Director 10.5.1, the certificates command of the cell management tool is deprecated. The certificates command appears to work correctly, but after a cell restart, the changes are not in effect because the cell no longer reads the certificate files from the files on-disk. In version 10.5.1 and later, VMware Cloud Director reads the certificates from the Certificates Library. See Certificate Management in the VMware Cloud Director Appliance 10.5.1 and Later.

Starting with VMware Cloud Director 10.4, both the console proxy traffic and HTTPS communications go over the default 443 port. You do not need a separate certificate for the console proxy.

Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.


  • To verify that this is the relevant procedure for your environment needs, familiarize yourself with SSL Certificate Creation and Management of Your VMware Cloud Director Appliance.

  • Copy your intermediate certificates, root CA certificate, CA-signed HTTPS service certificate to the appliance.
  • Verify that the key and certificate you want to import are a PEM-encoded PKCS #8 private key and a PEM-encoded X.509 certificate.


  1. Log in directly or by using an SSH client to the VMware Cloud Director appliance console as root.
  2. Back up the existing certificate files.
    Option Description
    If your environment was upgraded from VMware Cloud Director 10.2.
    1. Make a note of the existing http and consoleproxy certificate file paths from /opt/vmware/vcloud-director/etc/global.properties using the properties of user.http.pem,user.http.key, user.consoleproxy.pem, and user.consoleproxy.key.
    2. To back up the existing certificate files, use the paths from step 2a to run the following commands.
      cp path_to_the_user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original
      cp path_to_the_user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original
    If your environment was upgraded from VMware Cloud Director 10.3 or is a new deployment. To back up the existing certificate files, run the following commands.
    cp /opt/vmware/vcloud-director/etc/user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original
    cp /opt/vmware/vcloud-director/etc/user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original
  3. Copy and replace the key and certificate files that you must import at /opt/vmware/vcloud-director/etc/user.http.pem and /opt/vmware/vcloud-director/etc/user.http.key.
  4. If you have intermediate certificates, to append the root CA-signed certificate and any intermediate certificates to the HTTP certificates, run the following command.
    cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cerroot-CA-certificate.cer >> /opt/vmware/vcloud-director/etc/user.http.pem

    Where intermediate-certificate-file-1.cer and intermediate-certificate-file-2.cer are the names of intermediate certificates and root-CA-certificate.cer is the name of the root CA-signed certificate.

  5. Run the command to import the signed certificates into the VMware Cloud Director instance.
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password imported_key_password
  6. For the CA-signed certificates to take effect, restart the vmware-vcd service on the VMware Cloud Director appliance.
    1. Run the command to stop the service.
      /opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s
    2. Run the command to start the service.
      systemctl start vmware-vcd

What to do next