If you set up your ESXi hosts to use custom certificates, you must update the TRUSTED_ROOTS store on the vCenter Server system that manages the hosts.


Replace the certificates on each host with custom certificates.

Note: This step is not required if the vCenter Server system is also running with custom certificates issued by the same CA as those installed on the ESXi hosts.


  1. Log in to the vCenter Server shell of the vCenter Server system that manages the ESXi hosts.
  2. To add the new certificates to the TRUSTED_ROOTS store, run dir-cli, for example:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert path_to_RootCA
  3. When prompted, provide the Single Sign-On Administrator credentials.
  4. If your custom certificates are issued by an intermediate CA, you must also add the intermediate CA to the TRUSTED_ROOTS store on the vCenter Server, for example:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert path_to_intermediateCA

What to do next

Set certificate mode to Custom. If the certificate mode is VMCA, the default, and you perform a certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See Change the Certificate Mode.