Some Key Management Server (KMS) vendors require that you upload the vCenter Server certificate to the KMS. After the upload, the KMS accepts traffic that comes from a system with that certificate.

vCenter Server generates a certificate to protect connections with the KMS. The certificate is stored in a separate key store in the VMware Endpoint Certificate Store (VECS) on the vCenter Server system.


  1. Navigate to the vCenter Server.
  2. Click Configure and select Key Providers under Security.
  3. Select the key provider with which you want to establish a trusted connection.
    The KMS for the key provider is displayed.
  4. From the Establish Trust drop-down menu, select Make KMS trust vCenter.
  5. Select vCenter Certificate and click Next.
    The Download Certificate dialog box is populated with the root certificate that vCenter Server uses for encryption. This certificate is stored in VECS.
    Note: Do not generate a new certificate unless you want to replace existing certificates.
  6. Copy the certificate to the clipboard or download it as a file.
  7. Follow the instructions from your KMS vendor to upload the certificate to the KMS.

What to do next

Finalize the trust relationship. See Finish the Trust Setup for a Standard Key Provider.