How to publish Root CA into the trusted store in VMware Endpoint Certificate Store?

By | May 4, 2016

Recently during preparing a new vSphere environment based on 6.0 U2 version and replacing certificates I got some problems and found the following error in certificate-manager.log:

"Error while publishing cert using dir-cli."

dir-cli allows to create and update solution users, create other user accounts, and manage certificates and passwords in vmdir. It's used together with vecs-cli and certool to manage the certificate infrastructure.

There is already a KB where VMware mentioned that this problem should be solved already 🙂 However, if you do not prepare certificates properly, sometimes it would be necessary to add all Intermediate(s) and the Root CA certificates into the trusted store in VMware Endpoint Certificate Store before replacing certificates. VMware Endpoint Certificate Store (VECS) is a local repository for certificates, private keys, and other certificate information that can be stored in a keystore.

To add Intermediate and the Root CA certificate into the trusted store in VMware Endpoint Certificate Store please follow the below steps:

on VCSA:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert path_to_chain.cer

on vCenter installed on Windows:

"C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe" trustedcert publish --chain --cert path_to_chain.cer

I have replaced SSL certificates few times already and I have faced only above problem. I have to admit that VMware did a great job and very simplified replacing certificates on vSphere 6.0 🙂

Note: You can find the the certificate-manager.log in these locations:

  • VCSA: /var/log/vmware/vmcad/certificate-manager.log
  • Windows vCenter Server 6.0: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.