For most vCenter certificate management operations, you have to be in the CAAdmins group in the vsphere.local domain. The administrator@vsphere.local user is in the CAAdmins group. Some operations are allowed for all users.

If you run the vCenter Certificate Manager utility, you are prompted for the password of administrator@vsphere.local. If you replace certificates manually, different options for the different certificate management CLIs require different privileges.

dir-cli

You must be a member of the CAAdmins group in the vsphere.local domain. You are prompted for a user name and password each time you run a dir-cli command.

vecs-cli

Initially, only the store owner has access to a store. The store owner is the Administrator user on Windows systems and the root user on Linux systems. The store owner can provide access to other users.

The MACHINE_SSL_CERT and TRUSTED_ROOTS stores are special stores. Only the root user or administrator user, depending on the type of installation, has complete access.

certool

Most of the certool commands require that the user is in the CAAdmins group. The administrator@vsphere.local user is in the CAAdmins group. All users can run the following commands:

  • genselfcacert

  • initscr

  • getdc

  • waitVMDIR

  • waitVMCA

  • genkey

  • viewcert

For certificate management for ESXi hosts, you must have the Certificates > Manage Certificates privilege. You can set that privilege from the vSphere Web Client.