If you set up your ESXi hosts to use custom certificates, you must update the TRUSTED_ROOTS store on the vCenter Server system that manages the hosts.


Replace the certificates on each host with custom certificates.

Note: This step is not required if the vCenter Server system is also running with custom certificates issued by the same CA as those installed on the ESXi hosts.


  1. Log in to the vCenter Server system that manages the ESXi hosts.
    Log in to the Windows system on which you installed the software, or log in to the vCenter Server Appliance shell.
  2. To add the new certificates to the TRUSTED_ROOTS store, run dir-cli, for example:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_RootCA>
    Option Description
    //usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_RootCA>
    C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli trustedcert publish <path_to_RootCA>
  3. When prompted, provide the Single Sign-On Administrator credentials.
  4. If your custom certificates are issued by an intermediate CA, you must also add the intermediate CA to the TRUSTED_ROOTS store on the vCenter Server, for example:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_intermediateCA>

What to do next

Set certificate mode to Custom. If certificate mode is VMCA, the default, and you perform a certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See Change the Certificate Mode.