You generate new VMCA-signed certificates with the certool CLI or the vSphere Certificate Manager utility and publish the certificates to vmdir.

In a multi-node deployment, you run root certificate generation commands on the Platform Services Controller.


  1. Generate a new self-signed certificate and private key.
    certool --genselfcacert --outprivkey <key_file_path> --outcert <cert_file_path> --config <config_file>
  2. Replace the existing root certificate with the new certificate.
    certool --rootca --cert <cert_file_path> --privkey <key_file_path>
    The command generates the certificate, adds it to vmdir, and adds it to VECS.
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.
    The service names differ on Windows and the vCenter Server Appliance.
    Note: If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
    service-control --stop --all
    service-control --start VMWareAfdService
    service-control --start VMWareDirectoryService
    service-control --start VMWareCertificateService
    vCenter Server Appliance
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  4. (Optional) Publish the new root certificate to vmdir.
    dir-cli trustedcert publish --cert newRoot.crt
    The command updates all instances of vmdir immediately. If you don't run the command, propagation of the new certificate to all nodes might take a while.
  5. Restart all services.
    service-control --start --all

Example: Generate a New VMCA-Signed Root Certificate

The following example shows all the steps for verifying the current root CA information, and for regenerating the root certificate.
  1. (Optional) List the VMCA root certificate to make sure it is in the certificate store.
    • On a Platform Services Controller node or embedded installation:
      C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca
    • On a management node (external installation):
      C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca --server=<psc-ip-or-fqdn>
    The output looks similar to this:
            Version: 3 (0x2)
            Serial Number:
  2. (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.

    This command works on both Platform Services Controller nodes and management nodes because VECS polls vmdir.

    "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOTS  --text
    In the simplest case with only one root certificate, the output looks like this:
    Number of entries in store :    1
    Alias : 960d43f31eb95211ba3a2487ac840645a02894bd
    Entry type :    Trusted Cert
            Version: 3 (0x2)
            Serial Number:
  3. Generate a new VMCA root certificate. The command adds the certificate to the TRUSTED_ROOTS store in VECS and in vmdir (VMware Directory Service).
    C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --selfca --config="C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg"

    On Windows, --config is optional because the command uses the default certool.cfg file.