You can add a Key Management Server (KMS) to your vCenter Server system from the vSphere Client (HTML5-based client) or by using the public API.

The vSphere Client (HTML5-based client) provides a wizard to add a KMS to your vCenter Server system, and establish trust between the KMS and vCenter Server.

vCenter Server creates a KMS cluster when you add the first KMS instance.

  • After vCenter Server creates the first cluster, you can add KMS instances from the same vendor to the cluster.
  • You can set up the cluster with only one KMS instance.
  • If your environment supports KMS solutions from different vendors, you can add multiple KMS clusters.
  • If your environment includes multiple KMS clusters, and you delete the default cluster, you must set another default explicitly.
Note: The following steps apply to vCenter Server Appliance. For vCenter Server on Windows, you are prompted to first make the KMS trust vCenter Server, then make vCenter Server trust the KMS.

Prerequisites

  • Verify that the key server is in the VMware Compatibility Guide for Key Management Servers (KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
  • Verify that you have the required privileges: Cryptographic operations.Manage key servers.
  • You can configure the KMS with IPv6 addresses.
    • Both vCenter Server and the KMS can be configured with only IPv6 addresses.

Procedure

  1. Log in to the vCenter Server system with the vSphere Client (HTML5-based client).
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure and click Key Management Servers.
  4. Click Add, specify the KMS information in the wizard, and click OK.
  5. Click Trust.
    The wizard displays that vCenter Server trusts the KMS with a green check mark.
  6. Click Make KMS Trust vCenter.
  7. Select the option appropriate for your server and complete the steps.
    Option See
    Root CA certificate Use the Root CA Certificate Option to Establish a Trusted Connection.
    Certificate Use the Certificate Option to Establish a Trusted Connection.
    New Certificate Signing Request Use the New Certificate Signing Request Option to Establish a Trusted Connection.
    Upload certificate and private key Use the Upload Certificate and Private Key Option to Establish a Trusted Connection.
  8. Click Establish Trust.
    The wizard displays that the KMS trusts vCenter Server with a green check mark.
  9. Set the default KMS.
    1. From the Actions menu, select Change Default Cluster.
    2. Select the KMS cluster and click Save.
      The wizard displays the KMS cluster as the current default.