Manage CA Certificates with ESXCLI

You can use ESXCLI to manage certificates in the CA certificate store.

You must manage certificates in the CA certificate store when configuring a remote syslog server that uses the TLS protocol for communications. To establish secure communications, you must add the public CA certificate for the remote syslog server to the ESXi CA certificate store.

The following example adds a new CA certificate to the CA certificate store, lists all available certificates in the store, and removes a certificate from the store. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of <conn_options>.

Procedure

  1. Add a new CA certificate to the CA certificate store. 
    esxcli <conn_options> system security certificatestore add --filename=<local_file>
  2. List all certificates in the CA certificate store. 
    esxcli <conn_options> system security certificatestore list
  3. Remove a certificate from the CA certificate store.
    • Remove a certificate by specifying the file name.
      esxcli <conn_options> system security certificatestore remove --filename=<local_file>
    • Remove a certificate by specifying the issuer name and serial number.
      esxcli <conn_options> system security certificatestore remove --issuer=<issuer_name> --serial=<serial_number>