If you set up your ESXi hosts to use custom certificates, you have to update the TRUSTED_ROOTS store on the vCenter Server system that manages the hosts.

Replace the certificates on each host with custom certificates.

1

Log in to the vCenter Server system that manages the ESXi hosts.

Log in to the Windows system on which you installed the software, or log in to the vCenter Server Appliance shell.

2

Run vecs-cli to add the new certificates to the TRUSTED_ROOTS store, for example:

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store TRUSTED_ROOTS --alias custom1.crt --cert /etc/vmware/ssl/custom1.crt

Option

Description

Linux

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store TRUSTED_ROOTS --alias custom1.crt --cert /etc/vmware/ssl/custom1.crt

Windows

C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry create --store TRUSTED_ROOTS --alias custom1.crt --cert c:\ssl\custom1.crt

Set certificate mode to Custom. If certificate mode is VMCA, the default, and you perform a certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See Change the Certificate Mode.