If you set up your ESXi hosts to use custom certificates, you must update the TRUSTED_ROOTS store on the vCenter Server system that manages the hosts.
Replace the certificates on each host with custom certificates.
- Log in to the vCenter Server system that manages the ESXi hosts.
Log in to the Windows system on which you installed the software, or log in to the vCenter Server Appliance shell.
- To add the new certificates to the TRUSTED_ROOTS store, run dir-cli, for example:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_RootCA>
Option Description Linux
//usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_RootCA>
C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli trustedcert publish <path_to_RootCA>
- When prompted, provide the Single Sign-On Administrator credentials.
- If your custom certificates are issued by an intermediate CA, you must also add the intermediate CA to the TRUSTED_ROOTS store on the vCenter Server, for example:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_intermediateCA>
What to do next
Set certificate mode to Custom. If certificate mode is VMCA, the default, and you perform a certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See Change the Certificate Mode.