For most vCenter certificate management operations, you have to be in the CAAdmins group in the vsphere.local domain. The email@example.com user is in the CAAdmins group. Some operations are allowed for all users.
- You must be a member of the CAAdmins group in the vsphere.local domain. You are prompted for a user name and password each time you run a dir-cli command.
- Initially, only the store owner has access to a store. The store owner is the Administrator user on Windows systems and the root user on Linux systems. The store owner can provide access to other users.
- The MACHINE_SSL_CERT and TRUSTED_ROOTS stores are special stores. Only the root user or administrator user, depending on the type of installation, has complete access.
For certificate management for ESXi hosts, you must have the privilege. You can set that privilege from the vSphere Web Client.