Before you can order a signed certificate from a CA or create a self-signed certificate using the vCloud Director tenant portal, you must generate a Certificate Signing Request (CSR) for your edge gateway. If the edge gateway for your vCloud Director organization virtual datacenter has been converted to an advanced edge gateway, you can use the tenant portal's Certificates screen to generate the CSR.

About this task

A CSR is an encoded file that you need to generate on an NSX edge gateway that requires an SSL certificate. Using a CSR standardizes the way that companies send their public keys along with information that identifies their company names and domain names.

You generate a CSR with a matching private-key file that must remain on the edge gateway. The CSR contains the matching public key and other information such as your organization's name, location, and domain name.


  1. Launch the tenant portal using the following steps.
    1. Log in to the vCloud Director Web console and navigate to the edge gateway.
    2. Right-click the name of the edge gateway and click Edge Gateway Services in the context menu.

      The tenant portal opens in a new browser tab and displays the Edge Gateway screen for that edge gateway.

  2. Click the Certificates tab.
  3. Click + CSR.
  4. Configure the following options for the CSR:



    Common Name

    Type the fully-qualified domain name (FQDN) for the organization that you will be using the certificate for (for example, Do not include the http:// or https:// prefixes in your common name.

    Organization Unit

    Use this field to differentiate between divisions within your vCloud Director organization with which this certificate is associate ; for example, Engineering or Sales.

    Organization Name

    Type name under which your company is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request.


    Type the city or locality where your company is legally registered.

    State or Province Name

    Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.

    Country Code

    Type the country name where your company is legally registered.

    Private Key Algorithm

    Type the key type, either RSA or DSA, for the certificate. RSA is typically used. The key type defines the encryption algorithm for communication between the hosts.


    SSL VPN-Plus supports RSA certificates only.

    Key Size

    Type the key size in bits (2048 bit minimum).


    (Optional) Enter a description for the certificate.

  5. ClickKeep.

    The system generates the CSR and adds a new entry with type CSR to the on-screen list.


In the on-screen list, when you select an entry with type CSR, its CSR details are displayed in the screen. You can copy the CSR's displayed PEM formatted data and submit it to a certificate authority (CA) to obtain a CA-signed certificate.

What to do next

Use the CSR to create a service certificate using one of these two options: