Some KMS vendors such as SafeNet require that you upload your root CA certificate to the KMS. All certificates that are signed by your root CA are then trusted by this KMS.
The root CA certificate that vSphere Virtual Machine Encryption uses is a self-signed certificate that is stored in a separate store in the VMware Endpoint Certificate Store (VECS) on the vCenter Server system.
Note: Generate a root CA certificate only if you want to replace existing certificates. If you do, other certificates that are signed by that root CA become invalid. You can generate a new root CA certificate as part of this workflow.
Procedure
What to do next
Finalize the certificate exchange. See Complete the Trust Setup.