Required privileges depend on the CLI that you are using and on the command that you want to run. For example, for most certificate management operations, you have to an Administrator for the local vCenter Single Sign-On domain (vsphere.local by default). Some commands are available for all users.

dir-cli
You must be a member of the Administrators group in the local domain (vsphere.local by default) to run dir-cli commands. If you do not specify a user name and password, you are prompted for the password for the administrator of the local vCenter Single Sign-On domain, [email protected] by default.
vecs-cli
Initially, only the store owner and users with blanket access privileges have access to a store. Users in the Administrators group on Windows and root users on Linux have blanket access privileges.
The MACHINE_SSL_CERT and TRUSTED_ROOTS stores are special stores. Only the root user or administrator user, depending on the type of installation, has complete access.
certool
Most of the certool commands require that the user is in the Administrators group. All users can run the following commands.
  • genselfcacert
  • initscr
  • getdc
  • waitVMDIR
  • waitVMCA
  • genkey
  • viewcert