Last month I had to update the machine certificate of vCenter (SSL). I prepared the new certificate and the certificate chain. In the end, I was able to change the machine certificate but the Trusted Root certificate of the Intermediate CA was not updated and needed to be replaced. However, this is not possible through the user interface. So I had to do this through the command line.

The first step is to get a list of all the certificates in the TRUSTED_ROOTS store of VECS (VMware Endpoint Certificate Store:)

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

Make a note of the alias and x509v3 subject key of the certificate you want to replace. You will need it afterwards.

Now check for the existence of the same certificate in the vCenter Directory Service and make a note of the id:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list

Now, using the id make a backup of the certificate:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id <id> --login administrator@vsphere.local --outcert /tmp/oldcert.cer

When the backup is successful unpublish the certificate:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert.cer

The next step is to delete the certificate from VECS:

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias <alias>

Now, the new certificate can be imported into the directory:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert path_to_chain.cer

And it can be synced with VECS:

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

When you have come this far the expired Trusted Root certificate is updated with a new one.