Trust Relationship Requirement for ESXCLI Commands

Starting with vSphere 6.0, ESXCLI checks whether a trust relationship exists between the machine where you run the ESXCLI command and the ESXi host. An error results if the trust relationship does not exist.

To establish the trust relationship, you have these options.

Downloading and Installing the vCenter Server Certificate

You can download the vCenter Server root certificate using a Web browser and add it to the trusted certificates on the machine where you plan on running ESXCLI commands.

To download the certificate

1	Type the URL of the vCenter Server system or vCenter Server Virtual Appliance into a Web Browser.

2	Click the Download trusted root certificates link.

3	Change the extension of the downloaded file to .zip. (The file is a ZIP file of all certificates in the TRUSTED_ROOTS store).

4	Extract the ZIP file.

The result is a certs folder. The folder includes files with the extension .0. .1, and so on, which are certificates, and files with the extension .r0, r1, and so on which are CRL files associated with the certificates.

5	Add the trusted root certificates to the list of trusted roots. The process differs depending on the platform you are on.

You can now run ESXCLI commands against any host that is managed by the trusted vCenter Server without supplying additional information if you specify the vCenter Server in the --server option and the ESXi host in the --vihost option.

Using the --cacertsfile Option

Using a certificate to establish the trust relationship is the most secure option. You can specify the certificate with the --cacertsfile parameter or the VI_CACERTFILE variable.

Using the --thumbprint Option

You can supply the thumbprint for the target server (ESXi host or vCenter Server system) in the --thumbprint parameter (VI_THUMBPRINT variable).

When you run a command, ESXCLI checks first whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, an error like the following results:

Connect to sof-40583-srv failed. Server SHA-1 thumbprint: 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:Usin63:82:C5:16:51 (not trusted).

You can run the command with the thumbprint to establish the trust relationship, or add the thumbprint to the VI_THUMBPRINT variable. For example, using the thumbprint of the ESXi host above, you can run the following command:

esxcli --server myESXi --username user1 --password 'my_password' --thumbprint 5D:01:06:63:55:9D:DF:FE:38:81:6E:2C:FA:71:BC:63:82:C5:16:51 storage nfs list

Using the Credential Store

Your vCLI installation includes a credential store. You can manage the credential store with the credstore-admin utility application, which is located in the /Perl/apps/general directory inside the VMware vSphere CLI directory.

Important Updating the credential store is a two-step process. First you add the user and password for the server, and then you add the thumbprint for the server.

To establish trust for a user with the credential store

1	Add the user and password for the target ESXi host to the local credential store.

credstore_admin.pl add --server <esxi_HOSTNAME_OR_IP> --username <user> --password <pwd>

2	Add the thumbprint for the target ESXi host. This thumbprint was returned in the error when you attempted to connect to the host.

credstore_admin.pl add --server <esxi_HOSTNAME_OR_IP> --thumbprint <thumbprint>

3	If you are using a non-default credential store file, you have to pass it in with the --credstore option. Otherwise, this user will be able to access the host without authentication going forward.