VMware Endpoint Certificate Store (VECS) serves as a local (client-side) repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every vCenter Server node, and holds the keystores that contain the certificates and keys.

VECS polls VMware Directory Service (vmdir) periodically for updates to the trusted root store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands. See vecs-cli Command Reference.

VECS includes the following stores.
Table 1. Stores in VECS
Store Description
Machine SSL store (MACHINE_SSL_CERT)
  • Used by the reverse proxy service on every vSphere node.
  • Used by the VMware Directory Service (vmdir) on each vCenter Server node.

All services in vSphere 6.0 and later communicate through a reverse proxy, which uses the machine SSL certificate. For backward compatibility, the 5.x services still use specific ports. As a result, some services such as vpxd still have their own port open.

Solution user stores
  • machine
  • vpxd
  • vpxd-extension
  • vsphere-webclient
  • wcp
 VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate.

Solution user certificates are used for authentication with vCenter Single Sign-On. vCenter Single Sign-On checks that the certificate is valid, but does not check other certificate attributes.

The following solution user certificate stores are included in VECS:

  • machine: Used by the license server and the logging service.
    Note: The machine solution user certificate has nothing to do with the machine SSL certificate. The machine solution user certificate is used for the SAML token exchange. The machine SSL certificate is used for secure SSL connections for a machine.
  • vpxd: vCenter service daemon (vpxd) store. vpxd uses the solution user certificate that is stored in this store to authenticate to vCenter Single Sign-On.
  • vpxd-extension: vCenter extensions store. Includes the Auto Deploy service, inventory service, and other services that are not part of other solution users.
  • vsphere-webclient: vSphere Client store. Also includes some additional services such as the performance chart service.
  • wcp: VMware vSphere® with VMware Tanzu™ store. Also used for vSphere Cluster Services.

Each vCenter Server node includes a machine certificate.

Trusted root store (TRUSTED_ROOTS) Contains all trusted root certificates.
vSphere Certificate Manager Utility backup store (BACKUP_STORE) Used by VMCA (VMware Certificate Manager) to support certificate revert. Only the most recent state is stored as a backup, you cannot go back more than one step.
Other stores Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. Do not modify the certificates in those stores unless VMware documentation or a VMware Knowledge Base article instructs you to do so.
Note: Deleting the TRUSTED_ROOTS_CRLS store can damage your certificate infrastructure. Do not delete or modify the TRUSTED_ROOTS_CRLS store.

The vCenter Single Sign-On service stores the token signing certificate and its SSL certificate on disk. You can change the token signing certificate from the CLI.

Some certificates are stored on the file system, either temporarily during startup or permanently. Do not change the certificates on the file system.

Note: Do not change any certificate files on disk unless instructed by VMware documentation or Knowledge Base Articles. Unpredictable behavior might result otherwise.