With the Certificate Generation utility, you can either create certificates signed by Microsoft Windows, or create a certificate signing request for a third-party CA.

Note: There is a known security risk when copying key pairs and certificates to the /root/certs directory because it is not FIPS compliant.


  • You must have a Windows host with PowerShell installed on it.
  • For a Microsoft Windows signed certificate, the Windows host must be in the same domain as the Windows CA.
  • The account that you use to log in must have administrative privileges.

    Although non-administrator users can download and launch the tool, all operations fail if you do not have the proper permissions.

  • You must have created a Microsoft CA template. See Microsoft Certificate Authority Template in VMware Validated Design for Software-Designed Data Center.
  • You must have downloaded and installed OpenSSL for Windows.

    You can obtain the binary file from http://gnuwin32.sourceforge.net/packages/openssl.htm. It can be extracted anywhere in the Windows path.


  1. Copy the file package zip file from the SDDC Manager VM to the Windows host.
  2. Extract the contents of the zip file on the Windows host.
    The CertGenVVD-*.ps1 file is included in the extracted files.
  3. Navigate to the directory where you extracted the contents of the zip file.
  4. Run one of the following commands.
    • To create a Microsoft Windows signed certificate, run the following command:
      CertGenVVD-3.0.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -inter
      Parameter Description
      -MSCASigned Certificate is to be signed by inter-mediate authority.
      -attrib 'CertificateTemplate:VMware' The Microsoft CA template.
    • To create a certificate signing request for a third-party CA, run the following command.

      .\CertGenVVD-3.0.1.ps1 -CSR

  5. Type a password for the key file.
    A folder named SignedByMSCACerts is created.
  6. Zip the contents of the SignedByMSCACerts folder.
  7. Copy the SignedByMSCACerts zipped folder to the SDDC Manager VM in the /opt/vmware/cert-mgmt/bin directory.
    Note: The zip folder contains highly sensitive private key files and must be sent over trusted paths.
  8. Navigate to the /opt/vmware/cert-mgmt/bin directory and unzip the SignedByMSCACerts folder.