Trust Relationship Requirement for ESXCLI Commands
Starting with vSphere 6.0, ESXCLI checks whether a trust relationship exists between the machine where you run the ESXCLI command and the ESXi host. An error results if the trust relationship does not exist.
To establish the trust relationship, you have these options.
Downloading and Installing the vCenter Server Certificate
You can download the vCenter Server root certificate using a Web browser and add it to the trusted certificates on the machine where you plan on running ESXCLI commands.
To download the certificate
Click the Download trusted root certificates link.
The result is a certs folder. The folder includes files with the extension .0. .1, and so on, which are certificates, and files with the extension .r0, r1, and so on which are CRL files associated with the certificates.
You can now run ESXCLI commands against any host that is managed by the trusted vCenter Server without supplying additional information if you specify the vCenter Server in the --server option and the ESXi host in the --vihost option.
Using the --cacertsfile Option
Using a certificate to establish the trust relationship is the most secure option. You can specify the certificate with the --cacertsfile parameter or the VI_CACERTFILE variable.
Using the --thumbprint Option
You can supply the thumbprint for the target server (ESXi host or vCenter Server system) in the --thumbprint parameter (VI_THUMBPRINT variable).
When you run a command, ESXCLI checks first whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, an error like the following results:
Connect to sof-40583-srv failed. Server SHA-1 thumbprint: 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:Usin63:82:C5:16:51 (not trusted).
You can run the command with the thumbprint to establish the trust relationship, or add the thumbprint to the VI_THUMBPRINT variable. For example, using the thumbprint of the ESXi host above, you can run the following command:
esxcli --server myESXi --username user1 --password 'my_password' --thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 storage nfs list
Using the Credential Store
Your vCLI installation includes a credential store. You can manage the credential store with the credstore-admin utility application, which is located in the /Perl/apps/general directory inside the VMware vSphere CLI directory.
To establish trust for a user with the credential store
1 add --server <esxi_HOSTNAME_OR_IP> --username <user> --password <pwd>
2 add --server <esxi_HOSTNAME_OR_IP> --thumbprint <thumbprint>
If you are using a non-default credential store file, you have to pass it in with the --credstore option. Otherwise, this user will be able to access the host without authentication going forward.