You can create and use a self-signed certificate if you do not have a commercial Certificate Authority (CA) certificate. There is no difference in functionality between commercial certificates and self-signed certificates.


Replace the sample FQDN provided in this section with your company FQDN.
Note: Since certificate upgrade is not supported after creating a Kubernetes cluster, the self-signed certificate is created with expiration of 10 years.


  1. Generate a CA certificate. Open a command prompt and run the following command:
    #openssl genrsa -out ca.key 4096
    #openssl req -x509 -new -nodes -sha512 -days 3650 \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/OU=TEC/CN=<replace-with-custom-  
        FQDN>" \
        -key ca.key  -out ca.crt
  2. Generate a server certificate:
    #openssl genrsa -out <replace-with-custom-FQDN>.key 4096
    #openssl req -sha512 -new \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=VMware/OU=TEC/CN=<replace-with-custom-hostname>" \
        -key <replace-with-custom-FQDN>.key \
        -out <replace-with-custom-FQDN>.csr
    #cat > v3.ext <<-EOF
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    IP.2=<IP address of your PhotonOS accessible from Private Network>
    #openssl x509 -req -sha512 -days 3650 \
        -extfile v3.ext \
        -CA ca.crt -CAkey ca.key -CAcreateserial \
        -in <replace-with-custom-FQDN>.csr \
        -out <replace-with-custom-FQDN>.crt
    #openssl x509 -inform PEM -in <replace-with-custom-FQDN>.crt -out <replace-with-custom-FQDN>.cert
  3. Copy the certificate to Docker and Harbor repositories. To perform this action, you must define port 8043 for Docker and Harbor, and specify the port number on the folder name:
    #mkdir -p /etc/docker/certs.d/<replace-with-custom-FQDN>:8043
    #cp <replace-with-custom-FQDN>.cert /etc/docker/certs.d/<replace-with-custom-FQDN>:8043/
    #cp <replace-with-custom-FQDN>.key /etc/docker/certs.d/<replace-with-custom-FQDN>:8043/
    #cp ca.crt /etc/docker/certs.d/<replace-with-custom-FQDN>:8043/
  4. To mark this certificate as trusted, copy it to the SSL Cert folder:
    #cp ca.crt /etc/ssl/certs/cacert.pem


You have successfully created a self-signed certificate.