Certificate management privileges control which users can manage vCenter Server certificates.

Table 1. Certificate Management Privileges
Privilege Name in the vSphere Client Description Required On Privilege Name in the API
Create/Delete (Admins priv).

Allows full administrative-level access to various internal APIs and functionality for vCenter Server certificate-related operations.

vCenter Server CertificateManagement.Administer
Create/Delete (below Admins priv). Allows reduced administrative access to various internal APIs and functionality. This privilege restricts certificate related operations so that the user cannot escalate non-administrator privileges. Allowed operations are:
  • Generating certificate signing requests
  • Creating and retrieving Trusted Root chains
  • Deleting Trusted Root chains created by a user with the privilege Certificate Management.Create/Delete (below Admins priv).
  • Retrieving Machine SSL certificates
  • Retrieving the signing certificate chains for validating tokens issued by vCenter Server
vCenter Server CertificateManagement.Manage