You manage vCenter Server certificates from the vSphere Client, or by using an API, scripts, or CLIs.

The following table describes the interfaces you can use to manage vCenter Server certificates.

Table 1. Interfaces for Managing vSphere Certificates
Interface Description
vSphere Client Web interface (HTML5-based client). See Managing Certificates Using the vSphere Client.
vSphere Automation API See VMware vSphere Automation SDKs Programming Guide at
Certificate Management utility Command-line tool that supports Certificate Signing Request (CSR) generation and certificate replacement. See Managing Certificates Using the vSphere Certificate Manager Utility.
CLIs for managing certificate and directory services Set of commands for managing certificates, the VMware Endpoint Certificate Store (VECS), and VMware Directory Service (vmdir). See vSphere Certificates and Services CLI Command Reference.

Manage vCenter Server Certificates Using the vSphere Client

You can manage vCenter Server certificates from the vSphere Client.


  1. Log in to a vCenter Server as a user with administrator privileges in the local vCenter Single Sign-On domain.
    The default domain is vsphere.local.
  2. Select Administration.
  3. Under Certificates, click Certificate Management.
    Certificate panels for the different types of certificates appear.
  4. Perform certificate tasks, such as viewing certificate details, renewing the Machine SSL certificate, and adding a Trusted Root certificate.

Manage vCenter Server Certificates Using CLIs

vCenter Server includes CLIs for generating Certificate Signing Requests (CSRs), managing certificates, and managing services.

For example, you can use the certool command to generate CSRs and to replace certificates.

Use the CLIs for management tasks that the vSphere Client does not support, or to create custom scripts for your environment.

Table 2. CLIs for Managing vCenter Server Certificates and Associated Services
CLI Description Links
certool Generate and manage certificates and keys. Part of VMware Certificate Authority (VMCA).

certool Initialization Commands Reference

vecs-cli Manage the contents of VMware Certificate Store instances. Part of VMware Authentication Framework Daemon (VMAFD). vecs-cli Command Reference
dir-cli Create and update certificates in VMware Directory Service. Part of VMAFD. dir-cli Command Reference
sso-config Update Security Token Service (STS) certificates. Replace a vCenter Server STS Certificate Using the Command Line
service-control Command for starting, stopping, and listing services. Run this command to stop services before running other CLI commands.


Enable SSH login to vCenter Server. You can use the Access Settings tab in the vCenter Server Management Interface (https://vcenter_server_ip:5480) for SSH login activation and deactivation.


  1. Log in to the vCenter Server shell.
    Usually, you have to be the root or Administrator user. See Required Privileges for Running vSphere CLIs for details.
  2. Access a CLI at one of the following default locations.
    The required privileges depend on the task that you want to perform. Sometimes, you are prompted for the password twice to safeguard sensitive information.

    The service-control command does not require that you enter the path.

    For more information, see Manual vSphere Certificate Replacement.