vCenter Server includes scripts for generating Certificate Signing Requests (CSRs), managing certificates, and managing services.

For example, you can use the certool utility to generate CSRs and to replace certificates. See Managing Certificates with the vSphere Certificate Manager Utility.

Use the CLIs for management tasks that the vSphere Client does not support, or to create custom scripts for your environment.

Table 1. CLIs for Managing Certificates and Associated Services
CLI Description Links
certool Generate and manage certificates and keys. Part of VMware Certificate Authority (VMCA).

certool Initialization Commands Reference

vecs-cli Manage the contents of VMware Certificate Store instances. Part of VMware Authentication Framework Daemon (VMAFD). vecs-cli Command Reference
dir-cli Create and update certificates in VMware Directory Service. Part of VMAFD. dir-cli Command Reference
sso-config Update Security Token Service (STS) certificates. Replace a vCenter Server STS Certificate Using the Command Line
service-control Command for starting, stopping, and listing services. Run this command to stop services before running other CLI commands.


Enable SSH login to vCenter Server. See Manage vCenter Server with the Management Interface.


  1. Log in to the vCenter Server shell.
    Usually, you have to be the root or Administrator user. See Required Privileges for Running CLIs for details.
  2. Access a CLI at one of the following default locations.
    The required privileges depend on the task that you want to perform. Sometimes, you are prompted for the password twice to safeguard sensitive information.

    The service-control command does not require that you enter the path.