The vecs-cli command set allows you to manage VMware Certificate Store (VECS) instances. Use these commands together with dir-cli and certool to manage your certificate infrastructure.

vecs-cli store create

Creates a certificate store.

Option

Description

--name <name>

Name of the certificate store.

Example:

vecs-cli store create --name <store>

vecs-cli store delete

Deletes a certificate store. You cannot delete certificate stores that are predefined by the system.

Option

Description

--name <name>

Name of the certificate store to delete.

Example:

vecs-cli store delete --name <store>

vecs-cli store list

List certificate stores.

VECS includes the following stores.

Table 1. Stores in VECS

Store

Description

Machine SSL store (MACHINE_SSL_CERT)

  • Used by the reverse proxy service on every vSphere node.

  • Used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.

All services in vSphere 6.0 communicate through a reverse proxy, which uses the machine SSL certificate. For backward compatibility, the 5.x services still use specific ports. As a result, some services such as vpxd still have their own port open.

Trusted root store (TRUSTED_ROOTS)

Contains all trusted root certificates.

Solution user stores

  • machine

  • vpxd

  • vpxd-extensions

  • vsphere-webclient

VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate.

Solution user certificates are used for authentication with vCenter Single Sign-On. vCenter Single Sign-On checks that the certificate is valid, but does not check other certificate attributes. In an embedded deployment, all solution user certificates are on the same system.

The following solution user certificate stores are included in VECS on each management node and each embedded deployment:

  • machine: Used by component manager, license server, and the logging service.

    Note:

    The machine solution user certificate has nothing to do with the machine SSL certificate. The machine solution user certificate is used for the SAML token exchange; the machine SSL certificate is used for secure SSL connections for a machine.

  • vpxd: vCenter service daemon (vpxd) store on management nodes and embedded deployments. vpxd uses the solution user certificate that is stored in this store to authenticate to vCenter Single Sign-On.

  • vpxd-extensions: vCenter extensions store. Includes the Auto Deploy service, inventory service, and other services that are not part of other solution users.

  • vsphere-webclient: vSphere Web Client store. Also includes some additional services such as the performance chart service.

The machine store is also included on each Platform Services Controller node.

vSphere Certificate Manager Utility backup store (BACKUP_STORE)

Used by VMCA (VMware Certificate Manager) to support certificate revert. Only the most recent state is stored as a backup, you cannot go back more than one step.

Other stores

Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. Do not modify the certificates in those stores unless VMware documentation or a VMware Knowledge Base artoc;e instructs you to do so.

Note:

CRLS are not supported in vSphere 6.0 Nevertheless, deleting the TRUSTED_ROOTS_CRLS store can damage your certificate infrastructure. Do not delete or modify the TRUSTED_ROOTS_CRLS store.

Example:

vecs-cli store list

vecs-cli store permissions

Grants or revokes permissions to the store. Use either the --grant or the --revoke option.

The owner of the store has all control of its store, including granting and revoking permissions. The administrator has all privileges on all stores, including granting and revoking permissions.

You can use vecs-cli get-permissions --name <store-name> to retrieve the current settings for the store.

Option

Description

--name <name>

Name of the certificate store.

--user <username>

Unique name of the user who is granted permissions.

--grant [read|write]

Permission to grant, either read or write.

--revoke [read|write]

Permission to revoke, either read or write. Not currently supported.

vecs-cli entry create

Create an entry in VECS. Use this command to add a private key or certificate to a store.

Option

Description

--store <NameOfStore>

Name of the certificate store.

--alias <Alias>

Optional alias for the certificate. This option is ignored for the trusted root store.

--cert <certificate_file_path>

Full path of the certificate file.

--key <key-file-path>

Full path of the key that corresponds to the certificate.

Optional.

vecs-cli entry list

List all entries in a specified store.

Option

Description

--store <NameOfStore>

Name of the certificate store.

--text

Displays a human-readable version of the certificate.

vecs-cli entry getcert

Retrieve a certificate from VECS. You can send the certificate to an output file or display it as human-readable text.

Option

Description

--store <NameOfStore>

Name of the certificate store.

--alias <Alias>

Alias of the certificate.

--output <output_file_path>

File to write the certificate to.

--text

Displays a human-readable version of the certificate.

vecs-cli entry getkey

Retrieve a key that is stored in VECS. You can send the certificate to an output file or display it as human-readable text.

Option

Description

--store <NameOfStore>

Name of the certificate store.

--alias <Alias>

Alias for the key.

--output <output_file_path>

Output file to write the key to.

--text

Displays a human-readable version of the key.

vecs-cli entry delete

Delete an entry in a certificate store. If you delete an entry in VECS, you permanently remove it from VECS. The only exception is the current root certificate. VECS polls vmdir for a root certificate.

Option

Description

--store <NameOfStore>

Name of the certificate store.

--alias <Alias>

Alias for the entry you want to delete.

vecs-cli force-refresh

Forces a refresh of vecs-cli. When that happens, vecs-cli is updated to use the most recent information in vmdir. By default, VECS polls vmdir for new root certificate files every 5 minutes. Use this command for an immediate update of VECS from vmdir.