You generate new VMCA-signed certificates with the certool CLI or the vSphere Certificate Manager utility and publish the certificates to vmdir.


  1. On the vCenter Server, generate a new self-signed certificate and private key.
    certool --genselfcacert --outprivkey <key_file_path> --outcert <cert_file_path> --config <config_file>
  2. Replace the existing root certificate with the new certificate.
    certool --rootca --cert <cert_file_path> --privkey <key_file_path>
    The command generates the certificate, adds it to vmdir, and adds it to VECS.
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  4. (Optional) Publish the new root certificate to vmdir.
    dir-cli trustedcert publish --cert newRoot.crt
    The command updates all instances of vmdir immediately. If you do not run the command, propagation of the new certificate to all nodes might take a while.
  5. Restart all services.
    service-control --start --all

Example: Generate a New VMCA-Signed Root Certificate

The following example shows all the steps for verifying the current root CA information, and for regenerating the root certificate.
  1. (Optional) On the vCenter Server, list the VMCA root certificate to make sure it is in the certificate store.
    /usr/lib/vmware-vmca/bin/certool --getrootca 
    The output looks similar to this:
            Version: 3 (0x2)
            Serial Number:
  2. (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text
    In the simplest case with only one root certificate, the output looks like this:
    Number of entries in store :    1
    Alias : 960d43f31eb95211ba3a2487ac840645a02894bd
    Entry type :    Trusted Cert
            Version: 3 (0x2)
            Serial Number:
  3. Generate a new VMCA root certificate. The command adds the certificate to the TRUSTED_ROOTS store in VECS and in vmdir (VMware Directory Service).
    /usr/lib/vmware-vmca/bin/certool --selfca --config=/usr/lib/vmware-vmca/share/config/certool.cfg