You generate new VMCA-signed certificates with the certool CLI and publish them to vmdir.

In a multi-node deployment, you run root certificate generation commands on the Platform Services Controller.


Generate a new self-signed certificate and private key.

certool --genselfcacert --outprivkey <key_file_path> --outcert <cert_file_path> --config <config_file>

Replace the existing root certificate with the new certificate.

certool --rootca --cert <cert_file_path> --privkey <key_file_path>

The command generates the certificate, adds it to vmdir, and adds it to VECS.


Stop all services and start the services that handle certificate creation, propagation, and storage.

The service names differ on Windows and the vCenter Server Appliance.


service-control --stop --all
service-control --start VMWareAfdService
service-control --start VMWareDirectoryService
service-control --start VMWareCertificateService

vCenter Server Appliance

service-control --stop --all
service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad

(Optional) Publish the new root certificate to vmdir.

dir-cli trustedcert publish --cert newRoot.crt

When you run this command, all instances of vmdir are updated immediately. Otherwise, propagation to all instances might take a while.


Restart all services.

service-control --start --all

The following example shows the full set of steps for verifying the current root CA information, and regenerating the root certificate.


(Optional) List the VMCA root certificate to make sure it is in the certificate store.

On a Platform Services Controller node or embedded installation:

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca

On a management node (external installation):

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca --server=<psc-ip-or-fqdn>

The output looks similar to this:

        Version: 3 (0x2)
        Serial Number:


(Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.

This command works on both Platform Services Controller and management nodes because VECS polls vmdir.

"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOTS  --text

In the simplest case with only one root certificate, the output looks like this:

Number of entries in store :    1
Alias : 960d43f31eb95211ba3a2487ac840645a02894bd
Entry type :    Trusted Cert
        Version: 3 (0x2)
        Serial Number:


Generate a new VMCA root certificate. The certificate is added to the TRUSTED_ROOTS store in VECS and in vmdir (VMware Directory Service).

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --selfca --config="C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg"

On Windows, --config is optional because the command uses the default certool.cfg file.