Some Key Management Server (KMS) vendors require that vCenter Server generate a Certificate Signing Request (CSR) and send that CSR to the KMS. The KMS signs the CSR and returns the signed certificate. You can upload the signed certificate to vCenter Server.

Using the New Certificate Signing Request option is a two-step process. First you generate the CSR and send it to the KMS vendor. Then you upload the signed certificate that you receive from the KMS vendor to vCenter Server.


  1. Navigate to the vCenter Server.
  2. Click Configure and select Key Providers under Security.
  3. Select the key provider with which you want to establish a trusted connection.
    The KMS for the key provider is displayed.
  4. From the Establish Trust drop-down menu, select Make KMS trust vCenter.
  5. Select New Certificate Signing Request (CSR) and click Next.
  6. In the dialog box, copy the full certificate in the text box to the clipboard or download it as a file.
    Use the Generate new CSR button in the dialog box only if you explicitly want to generate a CSR. Using that option makes any signed certificates that are based on the old CSR invalid.
  7. Follow the instructions from your KMS vendor to submit the CSR.
  8. When you receive the signed certificate from the KMS vendor, click Key Providers again, select the key provider, and from the Establish Trust drop-down menu, select Upload Signed CSR Certificate.
  9. Paste the signed certificate into the bottom text box or click Upload File and upload the file, and click Upload.

What to do next

Finalize the trust relationship. See Finish the Trust Setup for a Standard Key Provider.