VMware Endpoint Certificate Store (VECS) serves as a local (client-side) repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.
VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node, and holds the keystores that contain the certificates and keys.
VECS polls VMware Directory Service (vmdir) periodically for updates to the trusted root store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands. See vecs-cli Command Reference.
|Machine SSL store (MACHINE_SSL_CERT)
All services in vSphere 6.0 and later communicate through a reverse proxy, which uses the machine SSL certificate. For backward compatibility, the 5.x services still use specific ports. As a result, some services such as vpxd still have their own port open.
|Trusted root store (TRUSTED_ROOTS)
|Contains all trusted root certificates.
|Solution user stores
|VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate.
Solution user certificates are used for authentication with vCenter Single Sign-On. vCenter Single Sign-On checks that the certificate is valid, but does not check other certificate attributes. In an embedded deployment, all solution user certificates are on the same system.
The following solution user certificate stores are included in VECS on each management node and each embedded deployment:
Each Platform Services Controller node includes a
|vSphere Certificate Manager Utility backup store (BACKUP_STORE)
|Used by VMCA (VMware Certificate Manager) to support certificate revert. Only the most recent state is stored as a backup, you cannot go back more than one step.
|Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. Do not modify the certificates in those stores unless VMware documentation or a VMware Knowledge Base article instructs you to do so.
Note: Deleting the TRUSTED_ROOTS_CRLS store can damage your certificate infrastructure. Do not delete or modify the TRUSTED_ROOTS_CRLS store.
The vCenter Single Sign-On service stores the token signing certificate and its SSL certificate on disk. You can change the token signing certificate from the vSphere Client.
Some certificates are stored on the file system, either temporarily during startup or permanently. Do not change the certificates on the file system. Use vecs-cli to perform operations on certificates that are stored in VECS.