Unless the Add Standard Key Provider dialog box prompted you to trust the KMS, you must explicitly establish trust after certificate exchange is complete.

You can complete the trust setup, that is, make vCenter Server trust the KMS, either by trusting the KMS or by uploading a KMS certificate. You have two options:

  • Trust the certificate explicitly by using the Upload KMS certificate option.
  • Upload a KMS leaf certificate or the KMS CA certificate to vCenter Server by using the Make vCenter Trust KMS option.
Note: If you upload the root CA certificate or the intermediate CA certificate, vCenter Server trusts all certificates that are signed by that CA. For strong security, upload a leaf certificate or an intermediate CA certificate that the KMS vendor controls.


  1. Navigate to the vCenter Server.
  2. Click Configure and select Key Providers under Security.
  3. Select the key provider with which you want to establish a trusted connection.
    The KMS for the key provider is displayed.
  4. Select the KMS.
  5. Select one of the following options from the Establish Trust drop-down menu.
    Option Action
    Make vCenter Trust KMS In the dialog box that appears, click Trust.
    Upload KMS certificate
    1. In the dialog box that appears, either paste in the certificate, or click Upload a file and browse to the certificate file.
    2. Click Upload.