A set of CLIs allows you to manage VMCA ( VMware Certificate Authority), VECS (VMware Endpoint Certificate Store), and VMware Directory Service (vmdir). The vSphere Certificate Manager utility supports many related tasks as well, but the CLIs are required for manual certificate management.

Table 1. CLI Tools for Managing Certificates and Associated Services
CLI Description See
certool Generate and manage certificates and keys. Part of VMCA.

certool Initialization Commands Reference

vecs-cli Manage the contents of VMware Certificate Store instances. Part of VMAFD. vecs-cli Command Reference
dir-cli Create and update certificates in VMware Directory Service. Part of VMAFD. dir-cli Command Reference
service-control Start or stop services, for example as part of a certificate replacement workflow

Certificate Management Tool Locations

By default, you find the tools in the following locations on each node.

Windows
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe
C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe
C:\Program Files\VMware\vCenter Server\vmcad\certool.exe
VCENTER_INSTALL_PATH\bin\service-control
Linux
/usr/lib/vmware-vmafd/bin/vecs-cli
/usr/lib/vmware-vmafd/bin/dir-cli
/usr/lib/vmware-vmca/bin/certool
On Linux, the service-control command does not require that you specify the path.

If you run commands from a management node with an external Platform Services Controller, you can specify the Platform Services Controller with the --server parameter.