You can use the Certificate Management vCenter Trusted Root Chains interface to add, delete and read trusted root certificate chains. This use case demonstrates how to delete a root certificate or certificate chain from the trusted root store of your vCenter Server system.

Deleting certificates is not available through the vSphere Client and you can only do this by using the vSphere Automation API or the CLI tools.

Caution: Deleting a root certificate or certificate chain that is in use might cause breakage of your systems. Proceed to delete a root certificate only if you are sure it is not in use by your vCenter Server or any connected systems.


  • Verify that you are connected to a vSphere Automation API server.

  • Verify that you have the required privileges for executing the method: CertificateManagement.Administer and CertificateManagement.Manage.


  1. (Optional) Retrieve the root certificates from your vCenter Server system.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains

    The system lists the unique identifiers (chains) of the certificates in the trusted root store.

  2. Retrieve the certificate you want to delete.

    To retrieve and verify a root certificate, use its unique identifier (chain).

    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains/<chain>
  3. Delete the certificate by providing its unique identifier (chain).
    DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains/<chain>

    The system returns a 204 error, which means that the request was processed but no content is returned.

  4. (Optional) To verify you deleted the certificate, retrieve the root certificates from your vCenter Server system once again.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains