☁ VMware ● New

VCD 10.6.1 Certificate Replacement — Why VM Console Stopped Working & the Missing Fix

We followed the official Broadcom KB (379244) to replace the public HTTPS certificate in VMware Cloud Director 10.6.1. Everything looked fine — until users lost VM console access days later. Here's the root cause and the undocumented step that fixes it.

📅 May 2026 ✍ Ravindrakumar ⏱ 5 min read 🏷 VCD 10.6.1 · Certificates · Console

🧾 Background

As part of routine certificate management, we replaced the public/HTTPS certificate on our VMware Cloud Director (VCD) 10.6.1 environment following Broadcom KB article 379244 "Replace VMware Cloud Director Public/HTTPS Certificate". The procedure covers importing the certificate via the VCD cell management tool and restarting services.

Post-replacement, VCD appeared healthy: the provider and tenant portals loaded correctly with the new certificate, and there were no obvious errors in the UI or vcd.log. We considered the change closed.

Several days later, end users started reporting that they were unable to open VM consoles from within the VCD tenant portal. The console window would either fail to launch or show a blank/error screen. No changes had been made to the environment in the interim.

🚫
Symptom: VM console access from VMware Cloud Director tenant portal fails — console window does not open or shows an error — immediately or within days of replacing the HTTPS/public certificate.

🔍 Symptom, Root Cause & Fix — At a Glance

Symptom

VM console from VCD portal fails for all tenants after HTTPS certificate replacement.

Root Cause

The new public certificate (full PEM/chain) was not uploaded to Administration → Public Addresses. VCD still held the old certificate reference for console proxy communication.

Fix

Upload the full certificate PEM file under Administration → Public Addresses → Edit. The private key does not need to be re-uploaded — it is already stored.

📋 What the KB Article Misses

Broadcom KB 379244 correctly guides you through the cell-management-tool import, service restart, and certificate verification steps. However, it does not mention a second, separate configuration surface inside the VCD UI that also holds the public certificate: the Public Addresses section under Administration.

This section is used by VCD for console proxy endpoints and other public-facing URLs. When the certificate is replaced at the cell level but this UI setting is not updated, VCD continues to present the old certificate for console sessions — causing them to fail once the old certificate is no longer trusted or once browser/client behaviour differences surface.

⚠️
Note for KB maintainers: We have raised this gap directly with Broadcom support and requested that KB 379244 be updated to include the Administration → Public Addresses step. Until the article is updated, refer to the fix section below.

✅ The Fix — Step by Step

After completing all steps in KB 379244, perform the following additional step to restore VM console access. You will need System Administrator access to the VCD provider portal.

Navigate to Public Addresses

VCD Provider Portal Administration Settings Public Addresses
  1. 1
    Log in to the VCD Provider Portal

    Use a System Administrator account. Go to the Administration tab in the top navigation.

  2. 2
    Open Public Addresses settings

    Navigate to Settings → Public Addresses in the left-hand menu.

  3. 3
    Click Edit

    The Edit panel opens, showing the current certificate and public URLs configured for VCD.

  4. 4
    Upload the new full PEM certificate file

    Use the certificate upload field to upload your full chain PEM file (the same certificate file used during the cell-management-tool import). The PEM should include the server certificate and any intermediate CA certificates.

    Important: The private key is already stored from the original configuration. You do not need to upload the private key again — only the certificate (PEM) file.

  5. 5
    Save and verify

    Click Save. Wait a moment for VCD to apply the change. Test VM console access from a tenant portal — console sessions should now open successfully.

After uploading the full PEM under Public Addresses → Edit, VM console access was immediately restored for all tenants across our environment without any service restart.

🕐 Why the Issue Appeared Days Later

A common question is: "Why did the console work initially, but then break after a few days?"

The most likely explanation is browser and OS certificate caching. Immediately after the replacement, existing browser sessions may have cached the previous console session tokens or connection state, allowing console access to continue briefly. As caches expired and new sessions were initiated, the certificate mismatch between the cell-level certificate and the Public Addresses setting became apparent, causing console launches to fail.

In some environments the delay may also relate to how quickly end users needed console access after the change — if no one opened a console immediately post-maintenance, the issue simply went unnoticed until normal usage resumed.

💡
Best practice: After any VCD certificate replacement, always test VM console access immediately as part of your post-change verification checklist, before closing the change window.

📝 Summary

Replacing the HTTPS certificate in VMware Cloud Director 10.6.1 requires two separate actions, even though the official Broadcom KB only documents one:

  • ✔ Import the certificate via the cell management tool (covered by KB 379244)
  • ✔ Upload the full PEM certificate under Administration → Public Addresses → Edit in the VCD UI (not in the KB at time of writing)

Skipping the second step allows the portal and API to serve the new certificate correctly, but breaks VM console access because VCD's console proxy still references the old certificate. The private key does not need to be re-uploaded; only the new certificate PEM is required.

We have flagged this to Broadcom and requested the KB article be updated accordingly. Hopefully this post saves someone a few hours of head-scratching.

🔗
Reference: Broadcom KB 379244 — Replace VMware Cloud Director Public/HTTPS Certificate