For most vCenter certificate management operations, you have to be in the CAAdmins group in the vsphere.local domain. The firstname.lastname@example.org user is in the CAAdmins group. Some operations are allowed for all users.
If you run the vCenter Certificate Manager utility, you are prompted for the password of email@example.com. If you replace certificates manually, different options for the different certificate management CLIs require different privileges.
You must be a member of the CAAdmins group in the vsphere.local domain. You are prompted for a user name and password each time you run a dir-cli command.
Initially, only the store owner has access to a store. The store owner is the Administrator user on Windows systems and the root user on Linux systems. The store owner can provide access to other users.
The MACHINE_SSL_CERT and TRUSTED_ROOTS stores are special stores. Only the root user or administrator user, depending on the type of installation, has complete access.
Most of the certool commands require that the user is in the CAAdmins group. The firstname.lastname@example.org user is in the CAAdmins group. All users can run the following commands:
For certificate management for ESXi hosts, you must have the privilege. You can set that privilege from the vSphere Web Client.