The certool initialization commands allow you to generate certificate signing requests, view and generate certificates and keys that are signed by VMware Certificate Authority (VMCA), import root certificates, and perform other certificate management operations.

In many cases, you pass a configuration file in to a certool command. See Changing the certool Configuration Options. See Replace Existing VMCA-Signed Certificates with New VMCA-Signed Certificates Using the CLI for some usage examples. The command-line help provides details about the options.

certool --initcsr

Generates a Certificate Signing Request (CSR). The command generates a PKCS10 file and a private key.

Option Description
--gencsr Required for generating CSRs.
--privkey <key_file> Name of the private key file.
--pubkey <key_file> Name of the public key file.
--csrfile <csr_file> File name for the CSR file to be sent to the CA provider.

--config <config_file>

Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields.

Example:
certool --gencsr --privkey=<filename> --pubkey=<filename> --csrfile=<filename>

certool --selfca

Creates a self-signed certificate and provisions the VMCA server with a self-signed root CA. Using this option is one of the simplest ways to provision the VMCA server. You can instead provision the VMCA server with a third-party root certificate so that VMCA is an intermediate CA. See Make VMCA Into an Intermediate Certificate Authority Using the CLI.

This command generates a certificate that is predated by three days to avoid time zone conflicts.

Option Description
--selfca Required for generating a self-signed certificate.
--predate <number_of_minutes> Allows you to set the Valid Not Before field of the root certificate to the specified number of minutes before the current time. This option can be helpful to account for potential time zone issues. The maximum is three days.

--config <config_file>

Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
machine-70-59:/usr/lib/vmware-vmca/bin # ./certool --predate=2280  --selfca --server= 192.0.2.24 --srp-upn=administrator@vsphere.local

certool --rootca

Imports a root certificate. Adds the specified certificate and private key to VMCA. VMCA always uses the most recent root certificate for signing, but other root certificates remain trusted until you manually delete them. That means you can update your infrastructure one step at a time, and finally delete certificates that you no longer use.

Option Description
--rootca Required for importing a root CA.

--cert <certfile>

Name of the certificate file.
--privkey <key_file> Name of the private key file. This file must be in PEM encoded format.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --rootca --cert=root.cert --privkey=privatekey.pem

certool --getdc

Returns the default domain name that is used by vmdir.

Option Description

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

--port <port_num>

Optional port number. Defaults to port 389.

Example:
certool --getdc

certool --waitVMDIR

Wait until the VMware Directory Service is running or until the timeout specified by --wait has elapsed. Use this option along with other options to schedule certain tasks, for example returning the default domain name.

Option Description
--wait Optional number of minutes to wait. Defaults to 3.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

--port <port_num>

Optional port number. Defaults to port 389.

Example:
certool --waitVMDIR --wait 5

certool --waitVMCA

Wait until the VMCA service is running or until the specified timeout has elapsed. Use this option in conjunction with other options to schedule certain tasks, for example, generating a certificate.

Option Description
--wait Optional number of minutes to wait. Defaults to 3.

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

--port <port_num>

Optional port number. Defaults to port 389.

Example:
certool --waitVMCA --selfca

certool --publish-roots

Forces an update of root certificates. This command requires administrative privileges.

Option Description

--server <server>

Optional name of the VMCA server. By default, the command uses localhost.

Example:
certool --publish-roots