When you deploy the vCloud Director appliance, it generates self-signed certificates with a validity period of 365 days. If there are expiring or expired certificates in your environment, you can generate new self-signed certificates. You must renew the certificates for each vCloud Director cell individually.

The vCloud Director appliance uses two sets of SSL certificates. The vCloud Director service uses one set of certificates for HTTPS and console proxy communications. The embedded PostgreSQL database and the vCloud Director appliance management user interface share the other set of SSL certificates.

You can change both sets of self-signed certificates. Alternatively, if you use CA-signed certificates for the HTTPS and console proxy communications of vCloud Director, you can change only the embedded PostgreSQL database and appliance management UI certificate. CA-signed certificates include a complete trust chain rooted in a well-known public certificate authority.


If you are renewing the certificate for the primary node in a database high availability cluster, place all other nodes in maintenance mode to prevent data loss. See Managing a Cell.


  1. Log in directly or SSH to the OS of the vCloud Director appliance as root.
  2. To stop the vCloud Director services, run the following command.
    /opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell --shutdown
  3. To generate new self-signed certificates, run the following command.
    /opt/vmware/appliance/bin/generate-certificates.sh <root-password>
    This command automatically puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart. The command generates a new certificates keystore /opt/vmware/vcloud-director/certificates.ks with new self-signed certificates for the HTTPS and console proxy communication of vCloud Director, which are used in Step 4.
  4. If you are not using CA-signed certificates, run the command to import the newly generated self-signed certificates to vCloud Director.
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p --keystore /opt/vmware/vcloud-director/certificates.ks --keystore-password <root-password>
  5. Restart the vCloud Director service.
    service vmware-vcd start


The renewed self-signed certificates are visible in the vCloud Director user interface.

The new PostgreSQL certificate is imported to the vCloud Director truststore on other vCloud Director cells the next time the appliance-sync function runs. The operation might take up to 60 seconds.

What to do next

If necessary, a self-signed certificate can be replaced with a certificate signed by an external or internal certificate authority.