Self-signed certificates can provide a convenient way to configure SSL for vCloud Director in environments where trust concerns are minimal.

Each vCloud Director server requires two SSL certificates, one for each of its IP addresses, in a Java keystore file. You must create two SSL certificates for each server that you intend to use in your vCloud Director server group. You can use certificates signed by a trusted certification authority, or self-signed certificates. Signed certificates provide the highest level of trust.

To create and import signed certificates, see Create and Import a Signed SSL Certificate.

Generate a list of fully-qualified domain names and their associated IP addresses on this server, along with a service choice for each IP address. See Create SSL Certificates.

Verify that you have access to a computer that has a Java version 6 runtime environment, so that you can use the keytool command to create the certificate. The vCloud Director installer places a copy of keytool in /opt/vmware/vcloud-director/jre/bin/keytool, but you can perform this procedure on any computer that has a Java version 6 runtime environment installed. Certificates created with a keytool from any other source are not supported for use with vCloud Director. Creating and importing the certificates before you install and configure vCloud Director software simplifies the installation and configuration process. These command-line examples assume that keytool is in the user's path. The keystore password is represented in these examples as passwd.


Create an untrusted certificate for the HTTP service.

This command creates an untrusted certificate in a keystore file named certificates.ks.

keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -alias http

Create an untrusted certificate for the console proxy service.

This command adds an untrusted certificate to the keystore file created in Step 1.

keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -alias consoleproxy

The certificate is valid for 90 days.


To verify that all the certificates are imported, list the contents of the keystore file.

keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

Repeat Step 1 through Step 3 on each of the remaining vCloud Director servers.

If you created the certificates.ks keystore file on a computer other than the server on which you generated the list of fully qualified domain names and their associated IP addresses, copy the keystore file to that server now. You will need the keystore path name when you run the configuration script. See Configure Network and Database Connections.


Because the vCloud Director configuration script does not run with a privileged identity, the keystore file and the directory in which it is stored must be readable by any user.