You can establish the trust relationship between the client machine on which you are running the vCLI command and the server specified in the
--server option (ESXi host or vCenter Server system) in a number of ways.
Downloading and Installing the vCenter Server Certificate
Using the --cacertsfile Option
Instead of installing the vCenter Server certificate, you can specify the certificate on the command line with the --cacertsfile option or the VI_CACERTFILE variable. You can also use this option if you target an ESXi host directly.
Using the --thumbprint Option
You can supply the thumbprint for the target server (ESXi host or vCenter Server system) on the command line in the --thumbprint option (VI_THUMBPRINT variable).
When you run a command, ESXCLI checks first whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, an error like the following results:
Connect to w2-server42.mydomain.com failed. Server SHA-1 thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 <not trusted>
To establish the trust relationship, you can run the command with the thumbprint that is returned in the error message or add the thumbprint to the VI_THUMBPRINT variable. For example, using the thumbprint of the ESXi host that returned the error above, you can run the following command:
esxcli --server myESXi --username user1 --password 'my_password' --thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 storage nfs list
Using the Credential Store
Your vCLI installation includes a credential store. You can manage the credential store with the credstore-admin utility, which is located in the /Perl/apps/general directory inside the VMware vSphere CLI directory.
Note: Updating the credential store is a two-step process. First you add the user and password for the target server, and then you add the thumbprint for the target server, as follows:
- Add the user and password for the target ESXi host to the local credential store.
credstore_admin.pl add --server <esxi_HOSTNAME_OR_IP> --username <user> --password <pwd> - Add the thumbprint, which was returned in the error message when you attempted to connect to the host.
credstore_admin.pl add --server <target_server> --thumbprint <thumbprint>
The user specified in Step 1 can now run vCLI commands against the target server without authentication if the credential store file is in the default location. - (Optional) If the credential store is in a non-default location, you have to specify the location on the command line with the --credstore option.