Some KMS vendors, for example Thales, require that vCenter Server generate a Certificate Signing Request (CSR) and send that CSR to the KMS. The KMS signs the CSR and returns the signed certificate. You can upload the signed certificate to vCenter Server.

Using the New Certificate Signing Request option is a two-step process. First you generate the CSR and send it to the KMS vendor. Then you upload the signed certificate that you receive from the KMS vendor to vCenter Server.


  1. Navigate to the vCenter Server.
  2. Click Configure and select Key Management Servers.
  3. Select the KMS instance with which you want to establish a trusted connection.
  4. Select New Certificate Signing Request and click OK.
  5. In the dialog box, copy the full certificate in the text box to the clipboard or download it as a file, and click OK.
    Use the Generate new CSR button in the dialog box only if you explicitly want to generate a CSR. Using that option makes any signed certificates that are based on the old CSR invalid.
  6. Follow the instructions from your KMS vendor to submit the CSR.
  7. When you receive the signed certificate from the KMS vendor, click Key Management Servers again, and select New Certificate Signing Request again.
  8. Paste the signed certificate into the bottom text box or click Upload File and upload the file, and click OK.

What to do next

Finalize the trust relationship. See Complete the Trust Setup.