To deploy virtual machines in the vSphere with Tanzu environment, DevOps users must have access to VM templates and images. As a vSphere administrator, create a content library to store and manage VM templates.

You can create a local content library and populate it with templates and other types of files.

You can also create a subscribed library to use the contents of an already existing published local library.

Starting with vSphere 7.0 Update 3, you can protect the items of a content library by applying an OVF security policy. The OVF security policy enforces strict validation when you deploy or update a content library, import items to a content library, or synchronize templates. To make sure that the templates are signed by a trusted certificate, you can add the OVF signing certificate from a trusted CA to a content library.

For more information about content libraries and VM templates in vSphere, see Using Content Libraries .


Required privileges:
  • Content library.Create local library or Content library.Create subscribed library on the vCenter Server instance where you want to create the library.
  • Datastore.Allocate space on the destination datastore.


  1. Navigate to the VM Service page.
    1. From the vSphere Client home menu, select Workload Management.
    2. Click the Services tab and click Manage on the VM Service pane.
  2. On the VM Service page, click Content Libraries > Create a content library .
    This action takes you to the content library section in the vSphere Client.
  3. Click Create.
    The New Content Library wizard opens.
  4. On the Name and location page, enter a name, select a vCenter Server instance for the content library and click Next.
    Make sure to use an informative name for the content library, so that your DevOps team can easily find and access the library items.
  5. On the Configure content library page, select the type of content library that you want to create and click Next.
    Option Description
    Local content library

    A local content library is accessible only in the vCenter Server instance where you create it by default.

    1. (Optional) To make the content of the library available to other vCenter Server instances, select Enable publishing .
    2. (Optional) If you want to require a password for accessing the content library, select Enable authentication and set a password.
    Subscribed content library A subscribed content library originates from a published content library. Use this option to take advantage of existing content libraries.

    You can synchronize the subscribed library with the published library to see up-to-date content, but you cannot add or remove content from the subscribed library. Only an administrator of the published library can add, modify, and remove contents from the published library.

    Provide the following information to subscribe to a library:

    1. In the Subscription URL text box, enter the URL address of the published library.
    2. If authentication is enabled on the published library, select Enable authentication and enter the publisher password.
    3. Select a download method for the contents of the subscribed library.
      • If you want to download a local copy of all the items in the published library immediately after subscribing to it, select immediately.
      • If you want to save storage space, select when needed. You download only the metadata for the items in the published library.

        If you need to use an item, synchronize the item or the entire library to download its content.

    4. If prompted, accept the SSL certificate thumbprint.

      The SSL certificate thumbprint is stored on your system until you delete the subscribed content library from the inventory.

  6. (Optional) On the Apply security policy page, select Apply Security Policy and select OVF default policy.
    For the subscribed library, this option appears only if the library supports security policies.
    If you select this option, the system performs a strict OVF certificate verification when importing an OVF item to the library from the local host or synchronizing an item. The OVF items that do not pass the certificate validation cannot be imported.
    If the item does not pass the validation during synchronization, it is marked with the Verification Failed tag. Only the item and metadata will be kept, but not the files in the item.
  7. On the Add storage page, select datastore as a storage location for the content library contents and click Next.
  8. On the Ready to complete page, review the details and click Finish.

What to do next

After you create the content library, populate the library with VM templates, so that your DevOps engineers can use the templates to provision new virtual machines. See Populate a Content Library with VM Images for Stand-Alone VMs in vSphere with Tanzu.