In this article I will explain how to install public SSL certificates on vCloud Director 9.7 appliances.
VMware points to this article to create and import a Signed SSL Certificate to the vCloud Director environment.
The difference here is that most of us already own a SSL certificate.
When this is the case, the mentioned article won’t be useful.
vCloud Director has two interfaces listing to your requests using different ports, therefore you need two SSL certificates.
I will not cover the installation of certificates on reverse proxies, Web Application Firewalls, etc. in this article, but should not be forgotten!
In this scenario we will use one Wildcard certificate to cover both ports.
In the drawing below you can see how the traffic reaches the diff
- eth0 will be used for HTTP/HTTPS
- eth1 will be used for Remote Console traffic

Install public SSL certificates on primary vCloud Director 9.7 cell
Before we can start installing the SSL certificate to the first cell, we need to meet the following prerequisites:
- Working vCloud Director 9.7 environment
- SSL certificate in .PFX format (and of course the password!)
- SSH access to the primary vCloud Director cell
- Putty
- WinSCP
Ok, let’s go!
- Connect to the first cell using WinSCP
- Navigate to the /tmp/ folder and upload the .PFX certificate
WinSCP – Upload PFX to TMP folder - When finished, connect via SSH to the Cell01 using your Putty client.
- Run the following commands (make sure you change the VCD_ROOT_PASSWORD placeholder!)
# Stop vCloud Director services service vmware-vcd stop # Add the HTTP certificate to a new created certificates.ks keystore. /opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storepass VCD_KEYSTORE_PASSWORD -keypass VCD_KEYSTORE_PASSWORD -storetype JCEKS -importkeystore -srckeystore /tmp/star.vblog.nl.pfx /opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storetype JCEKS -changealias -alias 1 -destalias http # Add the Remote Console Proxy certificate to a new created certificates.ks keystore. /opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storepass VCD_KEYSTORE_PASSWORD -keypass VCD_KEYSTORE_PASSWORD -storetype JCEKS -importkeystore -srckeystore /tmp/star.vblog.nl.pfx /opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storetype JCEKS -changealias -alias 1 -destalias consoleproxy # Make a back-up of the existing keystore cd /opt/vmware/vcloud-director cp certificates.ks certificates.ks.OLD # Copy the new keystore file to the vCloud Director environment cp /tmp/certificates.ks /opt/vmware/vcloud-director/certificates.ks # Update rights to the keystore file chown vcloud:vcloud /opt/vmware/vcloud-director/certificates.ks chmod -R 600 /opt/vmware/vcloud-director/certificates.ks # Run the vCloud Director configuration script /opt/vmware/vcloud-director/bin/configure
- During the vCloud Director configuration script you need to enter IP’s, syslog server, etc.
- Afterwards, vCloud Director services will be started with the public SSL certificate
- Make sure your public endpoints are set correct in the vCloud Director admin portal

Install on additional vCloud Director cells
- Connect to the next vCloud Director cell: Cell02
- Run the following commands
# Stop vCloud Director services (only required if vCloud Director is already configured) service vmware-vcd stop # Update rights to the keystore file chown vcloud:vcloud /opt/vmware/vcloud-director/certificates.ks chmod -R 600 /opt/vmware/vcloud-director/certificates.ks # Run the vCloud Director configuration script with response file /opt/vmware/vcloud-director/bin/configure -r /opt/vmware/vcloud-director/data/transfer/responses.properties
- After finishing the configuration script on Cell02, the vCloud Director services will be started
More vCloud Director related articles will be posted here.
Hi,
Thank you for your post.
I’ve a Fortinet Load Balancer using a Public Virtual IP in front of the private IP of the cells. Will the certificate installed on cells be translated to the public virtual public IP as well or should I upload “somewhere” the certificate in the Fortinet?
Thank you
Cheers
Raff