Use the Root CA Certificate Option to Establish a Standard Key Provider Trusted Connection

Some Key Management Server (KMS) vendors require that you upload your root CA certificate to the KMS. All certificates that are signed by your root CA are then trusted by this KMS.
The root CA certificate that
vSphere Virtual Machine Encryption
uses is a self-signed certificate that is stored in a separate store in the VMware Endpoint Certificate Store (VECS) on the
vCenter Server
system.
Generate a root CA certificate only if you want to replace existing certificates. If you do, other certificates that are signed by that root CA become invalid. You can generate a new root CA certificate as part of this workflow.
  1. Navigate to the
    vCenter Server
    .
  2. Click
    Configure
    and select
    Key Management Servers
    .
  3. Select the KMS instance with which you want to establish a trusted connection.
  4. From the
    Establish Trust
    drop-down menu, select
    Make KMS trust vCenter
    .
  5. Select
    vCenter Root CA Certificate
    and click
    Next
    .
    The Download Root CA Certificate dialog box is populated with the root certificate that
    vCenter Server
    uses for encryption. This certificate is stored in VECS.
  6. Copy the certificate to the clipboard or download the certificate as a file.
  7. Follow the instructions from your KMS vendor to upload the certificate to their system.
    Some KMS vendors require that the KMS vendor restarts the KMS to pick up the root certificate that you upload.
Finalize the certificate exchange. See Finish the Trust Setup for a Standard Key Provider.