Self-signed certificates can provide a convenient way to configure SSL for vCloud Director in environments where trust concerns are minimal.

Each vCloud Director server requires two SSL certificates in a JCEKS keystore file, one for the HTTPS service and one for the console proxy service.

You use the cell-management-tool to create the self-signed SSL certificates. The cell-management-tool utility is installed on the cell before the configuration agent runs and after you run the installation file. See Install vCloud Director on the First Member of a Server Group.

Important: These examples specify a 2048-bit key size, but you should evaluate your installation's security requirements before choosing an appropriate key size. Key sizes less than 1024 bits are no longer supported per NIST Special Publication 800-131A.


  1. Log in directly or by using an SSH client to the OS of the vCloud Director server as root.
  2. Run the command to create a public and private key pair for the HTTPS service and for the console proxy service.
    /opt/vmware/vcloud-director/bin/cell-management-tool generate-certs -j -p -o certificates.ks -w passwd

    The command creates or updates a keystore at certificates.ks that has the password passwd. The cell-management-tool creates the certificates by using the command's default values. Depending on the DNS configuration of your environment, the Issuer CN is set to either the IP address or the FQDN for each service. The certificate uses the default 2048-bit key length and expires one year after creation.

    Important: The keystore file and the directory in which it is stored must be readable by the user vcloud.vcloud. The vCloud Director installer creates this user and group.

What to do next

Make note of the keystore path name. You need the keystore path name when you run the configuration script to create the network and database connections for the vCloud Director cell. See Configure the Network and Database Connections.