You can manage VMCA (VMware Certificate Authority), VECS (VMware Endpoint Certificate Store), VMware Directory Service (vmdir), and Security Token Service (STS) certificates by using a set of CLIs. The vSphere Certificate Manager utility supports many related tasks as well, but the CLIs are required for manual certificate management and for managing other services.
You normally access the CLI tools for managing certificates and associated services by using SSH to connect to the appliance shell. See the VMware knowledge base article at http://kb.vmware.com/kb/2100508 for more information.
Manual Certificate Replacement gives examples for replacing certificates using CLI commands.
| CLI | Description | See |
|---|---|---|
| certool | Generate and manage certificates and keys. Part of VMCAD, the VMware Certificate Management service. | |
| vecs-cli | Manage the contents of VMware Certificate Store instances. Part of VMware Authentication Framework Daemon (VMAFD). | vecs-cli Command Reference |
| dir-cli | Create and update certificates in VMware Directory Service. Part of VMAFD. | dir-cli Command Reference |
| sso-config | Manage STS certificates. | Command-line help. |
| service-control | Start or stop services, for example as part of a certificate replacement workflow. | Run this command to stop services before running other CLI commands. |
CLI Locations
By default, you find the CLIs in the following locations.
/usr/lib/vmware-vmafd/bin/vecs-cli /usr/lib/vmware-vmafd/bin/dir-cli /usr/lib/vmware-vmca/bin/certool /opt/vmware/bin/sso-config.sh
