If you have your own private key and CA-signed certificate files, before importing the keystores to your vCloud Director environment, you must create keystore files in which to import the certificates and the private keys for both the HTTPS and the console proxy service.


  • Familiarize yourself with the keytool command. You use keytool to import CA-signed SSL certificates to the vCloud Director appliance. vCloud Director places a copy of keytool at /opt/vmware/vcloud-director/jre/bin/keytool.

  • Copy your intermediate certificates, root CA certificate, CA-signed HTTPS service and Console Proxy service private keys and certificates to the appliance.


  1. Log in directly or SSH to the vCloud Director appliance console as root.
  2. If you have intermediate certificates, run the command to combine the root CA-signed certificate with the intermediate certificates and create a certificate chain.
    cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer > chain.crt
  3. Use OpenSSL to create intermediate PKCS12 keystore files for both the HTTPS and the console proxy services with the private key, the certificate chain, the respective alias, and specify a password for each keystore file.
    1. Create the keystore file for the HTTPS service.
      openssl pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:keystore_password -out http.pfx -chain
    2. Create the keystore file for the console proxy service.
      openssl pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:keystore_password -out consoleproxy.pfx –chain
  4. Run the command to back up the existing certificates.ks file.
    cp /opt/vmware/vcloud-director/certificates.ks /root/certificates.ks.original
  5. Use the keytool command to import the PKCS12 keystores into the JCЕKS keystore.
    1. Import the PKCS12 keystore for the HTTPS service.
      keytool -importkeystore -deststorepass keystore_password -destkeystore /opt/vmware/vcloud-director/certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass keystore_password
    2. Import the PKCS12 keystore for the console proxy service.
      keytool -importkeystore -deststorepass keystore_password -destkeystore /opt/vmware/vcloud-director/certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass keystore_password
  6. Verify that the import of the certificates is successful.
    keytool -storetype JCEKS -storepass keystore_password -keystore /opt/vmware/vcloud-director/certificates.ks –list
  7. Run the command to import the signed certificates into the vCloud Director instance.
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p --keystore /opt/vmware/vcloud-director/certificates.ks --keystore-password keystore_password
  8. For the CA-signed certificates to take effect, restart the vmware-vcd service on the vCloud Director appliance.
    service vmware-vcd restart

What to do next