Use the Root CA Certificate Option to
Establish a Standard Key Provider Trusted Connection
Some Key Management Server (KMS)
vendors require that you upload your root CA certificate to the KMS. All certificates that
are signed by your root CA are then trusted by this KMS.
The root CA certificate that
vSphere Virtual Machine
Encryption
uses is a self-signed certificate that is stored in a
separate store in the VMware Endpoint Certificate Store (VECS) on the vCenter Server
system. Generate a root CA
certificate only if you want to replace existing certificates. If you do, other
certificates that are signed by that root CA become invalid. You can generate a
new root CA certificate as part of this workflow.
- Navigate to thevCenter Server.
- ClickConfigureand selectKey Management Servers.
- Select the KMS instance with which you want to establish a trusted connection.
- From theEstablish Trustdrop-down menu, selectMake KMS trust vCenter.
- SelectvCenter Root CA Certificateand clickNext.The Download Root CA Certificate dialog box is populated with the root certificate thatvCenter Serveruses for encryption. This certificate is stored in VECS.
- Copy the certificate to the clipboard or download the certificate as a file.
- Follow the instructions from your KMS vendor to upload the certificate to their system.Some KMS vendors require that the KMS vendor restarts the KMS to pick up the root certificate that you upload.
Finalize the certificate
exchange. See
Finish the Trust Setup for a Standard Key Provider.