Validating Trusted Root Certificate Name Between the vCenter UI and VECS CLI
search cancel

Validating Trusted Root Certificate Name Between the vCenter UI and VECS CLI

book

Article ID: 441173

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Administrators may need to verify that the Trusted Root certificates displayed in the vCenter Server UI match the entries in the VMware Endpoint Certificate Store (VECS). When comparing the output from the VECS CLI to the vSphere Client UI, the Serial Number formats differ, which can cause confusion during certificate validation or troubleshooting.

Environment

VMware vCenter Server

Cause

The vSphere Client UI displays the certificate Serial Number in decimal format, whereas the vecs-cli command-line utility outputs the certificate Serial Number in hexadecimal format.

Resolution

To verify and match the certificate entries:

  1. Log in to the vSphere Client.

  2. Navigate to Home > Administration > Certificates > Certificate Management > Trusted Root.

  3. Identify the target certificate and note its decimal Serial Number.

  4. Connect to the vCenter Server Appliance via SSH and log in as the root user.

  5. Run the following command to list the trusted root certificates in VECS: /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

  6. Locate the matching certificate in the CLI output.

  7. Convert the decimal Serial Number from the UI to hexadecimal (or vice versa) to confirm that the entries are identical.

Powered by Wolken Software