This is the procedure I used to generate and import signed certificates for vCloud Automation Center 6.0.
Identity Appliance
- Generate private key and certificate signing request with OpenSSL. Common name is FQDN of the Identity Appliance.
openssl.exe req -newkey rsa:2048 -keyout sso.key -nodes -days 3650 -out sso.csr -sha256
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
……………………………………………….+++
………………………………………………+++
writing new private key to ‘sso.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Prague
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fojta.com
Organizational Unit Name (eg, section) []:vCAC Identity Appliance
Common Name (e.g. server FQDN or YOUR name) []:vcacsso.fojta.com
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- Sign the certificate signing request sso.csr with your CA. Download the signed certificate in Base 64 encoded format (sso.cer).
- In the SSO > SSL section of Identity Appliance VAMI interface (https://<Identity Appliance FQDN>:5480) choose action: Import PEM encoded Certificate.
- Paste the private key sso.key to the RSA Private Key field
- Paste the signed certificate sso.cer to the Certificate Chain section. Append CA root certificate as well.
- Click Replace Certificate.
vCAC Appliance
The process is identical – the only difference is the certificate Common Name and that we are using vCAC Appliance VAMI interface (http://<vCAC Appliance FQDN>:5480 for the import.
IaaS Components
In distributed architecture there can be multiple IaaS components: load balanced website components with Model Manager, Manager service with DEM Orchestrator (active/passive) and multiple Agents and DEM Workers. All those components are Windows based with identical procedure to create domain certificate.
- Open Microsoft Management Console (mmc.exe) and add Certificates Snap-In (manage Computer account, Local computer).
- Browse to the Personal Certificates folder and select action Request New Certificate.
- Request Active Directory Enrollment Policy > Web Server. In the Subject tab configure certificate properties (FullDN, Common Name, Country, etc.), in the General tab type friendly name and in the Private Key tab make private key exportable.
- Finish by clicking Enroll. Your Domain based CA should now issue the signed certificate.
See my older post that describes this in more detail with screenshots.
Tom Fojta's Blog 
And if you ever need the VAMI certificate:
/opt/vmware/etc/lighttpd/
Certificate: server.pem
It can be exported and imported into domain/local keystores, but cannot be changed. It’s created upon build at Palo Alto before the appliance is released as GA.
Both the ID VA and CAFE VA have the cert in the same place.