Adding a CA certificate to an edge gateway enables trust verification of SSL certificates that are presented to the edge gateway for authentication, typically the client certificates used in VPN connections to the edge gateway.

About this task

You usually add your company's or organization's root certificate as a CA certificate. A typical use is for SSL VPN, where you want to authenticate VPN clients using certificates. Client certificates could be distributed to the VPN clients and when the VPN clients connect, their client certificates would be validated against the CA certificate.


When adding a CA certificate, you typically configure a relevant CRL (Certificate Revocation List). The CRL protects against clients that present revoked certificates. For the steps on adding a CRL to the edge gateway, see Add a Certificate Revocation List to an Edge Gateway.


Verify you have the CA certificate data in PEM format. In the user interface, you can either paste in the CA certificate's PEM data or browse to a file that contains the data and is available in your network from your local system.

For the ability to use the vCloud Director tenant portal to work with an edge gateway's settings, the edge gateway must have already been converted to an advanced edge gateway using the Convert to Advanced Gateway action on the edge gateway in the vCloud Director Web console. See the vCloud Director Administrator's Guide for details.


  1. Launch the tenant portal using the following steps.
    1. Log in to the vCloud Director Web console and navigate to the edge gateway.
    2. Right-click the name of the edge gateway and click Edge Gateway Services in the context menu.

      The tenant portal opens in a new browser tab and displays the Edge Gateway screen for that edge gateway.

  2. Click the Certificates tab.
  3. Click + CA CERTIFICATE.
  4. Provide the CA certificate's data using one of these methods:
    • If the data is in a PEM file on a system you can navigate to, click the import button to browse to the file and select it.

    • If you can copy and paste the PEM data, paste it into the CA Certificate (PEM format) field. Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

  5. (Optional) Type an optional description.
  6. Click Keep.


The CA certificate with type CA Certificate appears in the on-screen list. This CA certificate is now available for you to specify when you configure the edge gateway's VPN-related settings.