You generate new VMCA-signed certificates with the certool CLI and publish them to vmdir.

In a multi-node deployment, you run root certificate generation commands on the Platform Services Controller.


  1. Generate a new self-signed certificate and private key.
    certool --genselfcacert --outprivkey <key_file_path> --outcert <cert_file_path> --config <config_file>
  2. Replace the existing root certificate with the new certificate.
    certool --rootca --cert <cert_file_path> --privkey <key_file_path>
    The command generates the certificate, adds it to vmdir, and adds it to VECS.
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.
    The service names differ on Windows and the vCenter Server Appliance.
    service-control --stop --all
    service-control --start VMWareAfdService
    service-control --start VMWareDirectoryService
    service-control --start VMWareCertificateService
    vCenter Server Appliance
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  4. (Optional) Publish the new root certificate to vmdir.
    dir-cli trustedcert publish --cert newRoot.crt
    When you run this command, all instances of vmdir are updated immediately. Otherwise, propagation to all instances might take a while.
  5. Restart all services.
    service-control --start --all

Example: Generate a New VMCA-Signed Root Certificate

The following example shows the full set of steps for verifying the current root CA information, and regenerating the root certificate.
  1. (Optional) List the VMCA root certificate to make sure it is in the certificate store.
    • On a Platform Services Controller node or embedded installation:
      C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca
    • On a management node (external installation):
      C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca --server=<psc-ip-or-fqdn>
    The output looks similar to this:
            Version: 3 (0x2)
            Serial Number:
  2. (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.

    This command works on both Platform Services Controller and management nodes because VECS polls vmdir.

    "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOTS  --text
    In the simplest case with only one root certificate, the output looks like this:
    Number of entries in store :    1
    Alias : 960d43f31eb95211ba3a2487ac840645a02894bd
    Entry type :    Trusted Cert
            Version: 3 (0x2)
            Serial Number:
  3. Generate a new VMCA root certificate. The certificate is added to the TRUSTED_ROOTS store in VECS and in vmdir (VMware Directory Service).
    C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --selfca --config="C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg"

    On Windows, --config is optional because the command uses the default certool.cfg file.