Some Key Management Server (KMS) vendors require that you upload your root CA certificate to the KMS. All certificates that are signed by your root CA are then trusted by this KMS.

The root CA certificate that vSphere Virtual Machine Encryption uses is a self-signed certificate that is stored in a separate store in the VMware Endpoint Certificate Store (VECS) on the vCenter Server system.

Note: Generate a root CA certificate only if you want to replace existing certificates. If you do, other certificates that are signed by that root CA become invalid. You can generate a new root CA certificate as part of this workflow.


  1. Navigate to the vCenter Server.
  2. Click Configure and select Key Providers under Security.
  3. Select the key provider with which you want to establish a trusted connection.
    The KMS for the key provider is displayed.
  4. From the Establish Trust drop-down menu, select Make KMS trust vCenter.
  5. Select vCenter Root CA Certificate and click Next.
    The Download Root CA Certificate dialog box is populated with the root certificate that vCenter Server uses for encryption. This certificate is stored in VECS.
  6. Copy the certificate to the clipboard or download the certificate as a file.
  7. Follow the instructions from your KMS vendor to upload the certificate to their system.
    Note: Some KMS vendors require that the KMS vendor restarts the KMS to pick up the root certificate that you upload.

What to do next

Finalize the certificate exchange. See Finish the Trust Setup for a Standard Key Provider.