A set of CLIs allows you to manage VMCA (VMware Certificate Authority), VECS (VMware Endpoint Certificate Store), and VMware Directory Service (vmdir). The vSphere Certificate Manager utility supports many related tasks as well, but the CLIs are required for manual certificate management and for managing other services.

Manual Certificate Replacement gives examples for replacing certificates using CLI commands.

Table 1. CLI Tools for Managing Certificates and Associated Services

CLI

Description

See

certool

Generate and manage certificates and keys. Part of VMCAD, the VMware Certificate Management service.

certool Initialization Commands Reference

vecs-cli

Manage the contents of VMware Certificate Store instances. Part of VMAFD.

vecs-cli Command Reference

dir-cli

Create and update certificates in VMware Directory Service. Part of VMAFD.

dir-cli Command Reference

sso-config

Some vCenter Single Sign-On configuration. In most cases, using the Platform Services Controller Web interface is recommended. Use this command for two-factor authentication setup.

Command-line help.

vCenter Server Two-Factor Authentication

service-control

Start or stop services, for example as part of a certificate replacement workflow

CLI Locations

By default, you find the CLIs in the following locations on each node.

Windows

C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe

C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe

C:\Program Files\VMware\vCenter Server\vmcad\certool.exe

C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config

VCENTER_INSTALL_PATH\bin\service-control

Linux

/usr/lib/vmware-vmafd/bin/vecs-cli

/usr/lib/vmware-vmafd/bin/dir-cli

/usr/lib/vmware-vmca/bin/certool

/opt/vmware/bin

On Linux, the service-control command does not require that you specify the path.

If you run commands from a vCenter Server system with an external Platform Services Controller, you can specify the Platform Services Controller with the --server parameter.