Platform Services Controller includes scripts for generating CSRs, managing certificates and managing services.

For example, you can use the certool utility to generate CSRs and to replace certificates, both for scenarios with embedded Platform Services Controller and for scenarios with external Platform Services Controller. See Managing Certificates with the vSphere Certificate Manager Utility.

Use the CLIs for management tasks that the Web interfaces do not support, or to create custom scripts for your environment.

Table 1. CLIs for Managing Certificates and Associated Services





Generate and manage certificates and keys. Part of VMCA.

certool Initialization Commands Reference


Manage the contents of VMware Certificate Store instances. Part of VMAFD.

vecs-cli Command Reference


Create and update certificates in VMware Directory Service. Part of VMAFD.

dir-cli Command Reference


Utility for configuring smart card authentication.

vCenter Server Two-Factor Authentication


Command for starting, stopping, and listing services.

Run this command to stop services before running other CLI commands.


  1. Log in to the Platform Services Controller shell.

    In most cases, you have to be the root or Administrator user. See Required Privileges for Running CLIs for details.

  2. Access a CLI at one of the following default locations.

    The required privileges depend on the task that you want to perform. In some cases, you are prompted for the password twice to safeguard sensitive information.


    C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe

    C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe

    C:\Program Files\VMware\vCenter Server\vmcad\certool.exe

    C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config







    On Linux, the service-control command does not require that you specify the path.