When using current documentation to create an SSL certificate, there can be questions unanswered. Find the below steps to help assist in this process. 

  First step is to create an unencrypted key. The key must be named server.key as seen below.

openssl genrsa -out server.key 2048

Once the key is created, you will then create the CSR to be sent off for approval. It is recommended using an OpenSSL configuration template, especially if you have multiple SANs to include. If there are no SANs you can refer to our documentation for a simple command. Below is using an OpenSSL conf file. 

openssl req -new -sha256 -out server.csr -key server.key -config (your_file_name).cnf

You can verify the CSR was created successfully using 

openssl req -in server.csr -noout -text

When the CSR is returned after approval the certificate files need to be combined into 1 filed and named server.crt. Open the .crt or .txt files and cut and paste the certificate data into a single text file (Notepad++ or Wordpad). If you have 3 certs, server.crt should have all 3 certs included. 

Upload the server.key and server.crt to a VCO directory (/home/vcadmin) for example. You can then move them to the final destination /etc/nginx/velocloud/ssl/. With the files in SSL directory allow the server.key proper permissions by using 

cp server.key server.crt /etc/nginx/velocloud/ssl/
chmod 600 /etc/nginx/velocloud/ssl/server.key

Then restart the nginx service with 

systemctl restart nginx

Combined with our Documentation currently available this should allow SSL installation without issues. 

https://docs.vmware.com/en/VMware-SD-WAN/5.2/sd-wan-orchestrator-deployment-and-monitoring-guide/GUID-28909ECB-350E-4A7E-80D5-A5493F92A972.html