cURL Examples of
Certificate Management Operations
The following cURL
command examples show the syntax for operations that you can use to manage TLS
certificates and trusted root certificates.
Prerequisites
- Verify that the certificate management service is running on your instance.
- Verify that you have the session ID that is required to invoke the API operations. You can obtain the session ID by running the following command.curl -u 'administrator@vsphere.local:<password>' -X POST -k https://<server>:443/rest/com/vmware/cis/session
Renew a
Certificate
This example renews an
existing TLS certificate issued by the VMware Certificate Authority (VMCA).
The duration of the
renewed certificate is explicitly set to 730 days in the input spec, which is
the default and maximum value. If you do not specify the duration in the input
spec, the default value of 730 days is applied.
curl --insecure -H 'Content-Type:application/json' --request POST --data-ascii '{"duration":"730"}' --url https://<server>/rest/vcenter/certificate-management/vcenter/tls/?action=renew --header 'vmware-api-session-id:8ab92796a606801c233a2189a1e8f823'
Generate a CSR
This example generates a CSR
and private key on the
instance. The private key remains on the machine.
You can perform this operation
as part of a use case scenario in which you want to replace a VMCA-issued TLS
certificate with a TLS certificate issued by a custom Certificate Authority
(CA). You must use the CSR and obtain a certificate from the external CA to
replace the existing certificate. For details on the replacement operation, see
Replace a Certificate.
curl --insecure -H 'Content-Type:application/json' --request POST --data-ascii '{"spec": {"key_size": "2048","common_name":"sc-rdops-vm05-dhcp-154-50.eng.vmware.com","country":"US","locality":"PA","state_or_province":"CA","organization":"VMware","organization_unit":"SSO","email_address":"abc@xyz.com"} }' --url https://<server>/rest/vcenter/certificate-management/vcenter/tls-csr --header 'vmware-api-session-id:4916bc4a8d37d3742277d0e26ac28faa'
Replace a
Certificate
This example replaces an
existing TLS certificate with another certificate obtained from a CSR that you
generated. You must provide the obtained certificate in PEM format in the input
spec.
You must generate a CSR
before you can replace a certificate.
You can perform this operation
as part of a use case scenario in which you want to replace a VMCA-issued TLS
certificate with a TLS certificate issued by a custom Certificate Authority
(CA). You must use the CSR and obtain a certificate from the external CA to
replace the existing certificate. For details on the CSR generation operation,
see
Generate a CSR.
curl -i --insecure -H 'Content-Type:application/json' --request PUT --data-ascii '{"spec":{"cert":"-----BEGIN CERTIFICATE-----\nMIIEJTCCAw2gAwIBAgIJAM5BdOvJGi+MMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYD\nVQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ\nFgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExKTAnBgNV\nBAoMIHNjMS0xMC03OC0xMDYtMTY4LmVuZy52bXdhcmUuY29tMRswGQYDVQQLDBJW\nTXdhcmUgRW5naW5lZXJpbmcwHhcNMTkwOTEyMDkyNDIwWhcNMjAwNzA4MDkyNDIw\nWjBsMQswCQYDVQQGEwJJTjEMMAoGA1UECAwDQmdsMQwwCgYDVQQHDANOR0wxDDAK\nBgNVBAoMA3ZtdzEzMDEGA1UEAwwqc2MyLXJkb3BzLXZtMDctZGhjcC0yNDUtMjA0\nLmVuZy52bXdhcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n3o1uY1FRL0fJX9k4GnPhp5hIFvbHcYTU+WgPDDtboskcJwUSybOxLu6s2gRHjDH4\nx0VQQ2U9DtlIds62jJErOqhstSmip8SQmhrVa1eN9ORwFeFEjHrFuAAdhKQirWj7\nu93kFv3vyoEp6vf0ZrTVvK9P4MZ3xO8ZWed6EiU6ju+eNJvEd1lJ+3l0InvORFp0\nH/V7LvfwA1G0rwbCzKQ+VWWZsO4cLMAoXqReXN9E2q2CtpGPXUCA7SLBXasrQxda\nELPXSDn+Dnnql319GLGkiJDa8k1K6RqZ6knu1dwGvBNw5P6LWhsLqRz44RSr27Zw\npvarlVuVnab/5b6DfgHgiQIDAQABo4GNMIGKMBUGA1UdEQQOMAyCBHNjMi2HBAoB\nAQEwHwYDVR0jBBgwFoAUphwxwKuWlxqZgFdHYJLbyRrprB8wUAYIKwYBBQUHAQEE\nRDBCMEAGCCsGAQUFBzAChjRodHRwczovL3NjMS0xMC03OC0xMDYtMTY4LmVuZy52\nbXdhcmUuY29tL2FmZC92ZWNzL2NhMA0GCSqGSIb3DQEBCwUAA4IBAQAyydRgWRBf\n8hVkC89yE912kRqh9sQyN2VtnjEQ0el+HB9FAYlhlYgW4mFK+f50NliyiKsGiPT6\nvL/5Txub3CyLmMuzBgr2r8DnSiOntN9OJdF+FuFmGN6KvK9RvNpJwhtFjjVnDc45\nGYUyAhNpXvLec+DyAJDdqBtTDy9VqypPBHGhPoMNDjnHI+Zj7svS+duunGD+A9y6\n9+HJKyK+TnhlCDcms/kmwvUWjBt56p6OmPXGpXz8aUNe/byL59gqbgPBQoV1ASnu\nvJm5sXiehzwdYglnCIdbCebL7tdJRh8Qsv1mQ7gfuOrjFtfVfSAbIjUPRH5o4LHa\nOvCeaa6p+dsw\n-----END CERTIFICATE-----"}}' --url https://<server>/rest/vcenter/certificate-management/vcenter/tls/ --header 'vmware-api-session-id:4916bc4a8d37d3742277d0e26ac28faa'
Create and Add Trusted
Root Certificates
This example creates two
certificate chains and adds them to the trusted root chain.
curl --insecure -H 'Content-Type:application/json' --request POST --data-ascii '{ "spec" : { "cert_chain" : {"cert_chain": ["-----BEGIN CERTIFICATE-----\nMIIDwjCCAqqgAwIBAgIJAI1OflMjc0LfMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV\nBAYTAklOMQswCQYDVQQIDAJLQTEMMAoGA1UEBwwDQkxSMQ8wDQYDVQQKDAZWTXdh\ncmUxDDAKBgNVBAsMA1NTTzEMMAoGA1UEAwwDQ0ExMR8wHQYJKoZIhvcNAQkBFhBz\naWduMUB2bXdhcmUuY29tMB4XDTE5MDEwMjA2MTIyMloXDTI4MTIzMDA2MTIyMlow\ndjELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAktBMQwwCgYDVQQHDANCTFIxDzANBgNV\nBAoMBlZNd2FyZTEMMAoGA1UECwwDU1NPMQwwCgYDVQQDDANDQTExHzAdBgkqhkiG\n9w0BCQEWEHNpZ24xQHZtd2FyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQDHuDDoAyGj6FGLZOIxMEK7oO2LhbfGbIbBiXTR5WWSkTsmsxy0Vge5\nhbVEkGW2OjgIxvmqBC/nVeH1b4gTJAZFmJ6lrh6Ri8HC5cyIePVJkz/PR08SbKmy\nmagd02N6ZqBgMEr3eQ2NTtqUOutvphRT5f+fyGKL5uPjOrhNn6v8GDrIF4wUY6aV\nWYDG6Mcay/cv814PZoTIJa0juIEfJXzOO0gxzAY6Jwi6k3DmLkps7zFErRbWUwYR\niaa46LKRHRlX71h0gsWfx7TNdCvQ8emiPXsYsqUkOy9+MSfr3CsQcPzNy8qDbImt\ngK6z2T4vvV7r5Iir5srD7yyWm5rKmtFDAgMBAAGjUzBRMB0GA1UdDgQWBBSv6kwh\nVWkFQ/se4wRz3PayMJTjgzAfBgNVHSMEGDAWgBSv6kwhVWkFQ/se4wRz3PayMJTj\ngzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC2yEXM2fTCYRvh\noD40MrDLK/g+mKSixvsXtebTga47fHi8LxnT6KXGc44ZMT/HTSzwk2alYG8EXHK1\nFZeNNFnhYmS24DLgrCq+9p/yThotbfWe6vaUZ87jgbAP9HRAsq/9HYW3s0lUBD4i\ne/FZrBGRjgdtXVQ0tm5N6TVRQq2IwVPQ3niv36KLFu9MmAMhlIIZ3y8sX4Bha13q\nmhOCM74/qw4d88kGgq9lnebpwhmmXl5IOScZX39gJpsgpWQ4a1lhOTWWLT5NYu3z\nxiS9Jc1hr0PWtKE5eWSVu6mMmEx9Tqov/KKMRBCP/pp4aHyn0NlWFtHl7MtWrGC7\nohzPCShe\n-----END CERTIFICATE-----","-----BEGIN CERTIFICATE-----\nMIID5jCCAs6gAwIBAgIBCDANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJTjEL\nMAkGA1UECAwCS0ExDDAKBgNVBAcMA0JMUjEPMA0GA1UECgwGVk13YXJlMQwwCgYD\nVQQLDANTU08xDDAKBgNVBAMMA0NBMTEfMB0GCSqGSIb3DQEJARYQc2lnbjFAdm13\nYXJlLmNvbTAeFw0xOTAxMDIwNjE3MDZaFw0yNDA2MjQwNjE3MDZaMGgxCzAJBgNV\nBAYTAklOMQswCQYDVQQIDAJLQTEPMA0GA1UECgwGVk13YXJlMQwwCgYDVQQLDANT\nU08xDDAKBgNVBAMMA0NBMjEfMB0GCSqGSIb3DQEJARYQc2lnbjJAdm13YXJlLmNv\nbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3s5ycFPQmgffQmZKaE\nM/0ymZgh/Kz3txTmWpAiEPGpGdrulDfwubDEbOXfHtsWfcvj48iDa6Nn4g5bNrej\naMoBEIKd0WeV9fwnL/i2wYFiKKhLYiWaHDm5BT79YVaBLEMK6BL/9wc2FoUI2vEf\nQyVSuDuKWSrwx3gB2IFC2q7BpzT3kgq1HmWKVA52nFpMgbe1zlRy9sV08bBTybMO\nzm/Z0c4+a5Y0P1fO6ThiCF+92s0jMow0Bm96qN3nQm6lMgbcY+5um7RgOuBY4iSF\nKTblVDMS/rZAQkPwcP/E8AxcywRazx46awCfe3NAasiVBuI/iADc63SmYs+z+0cS\n8qECAwEAAaOBjDCBiTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAsBglghkgB\nhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE\nFDexYpQDPTkuYf9M47ILnGOg5Fh/MB8GA1UdIwQYMBaAFK/qTCFVaQVD+x7jBHPc\n9rIwlOODMA0GCSqGSIb3DQEBCwUAA4IBAQAMKy6fM7ldYf/IlMSR/0zH4gTauR8Z\nERXkRD65SXa9YgOkp/U59mhlGsfxeAze47jXjD7GNTNpLogYFQkXP9yrIpyYKjRP\n0I8zo8faY/9hEJn2pHZTaYKgZICw0rlfCwGF/so1cxnkocoIsmA56lMPT5xcmyFc\nkvwEBgTb8WgXUTnR0MA20puGI8aaXsAHOwQYM8nexvrfSbJADYJtcG73YqjswNYk\niloSd/uslyhmvb1HVyix794SxAIEybs177ijKOxdicq3XogaeGhOIymvDcCv/55J\n5FgJY341cCZmESPyC1GkuX52OSoZartB1jhSd5cKKlaLobFbTTajs9oa\n-----END CERTIFICATE-----"]}}}' --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/ --header 'vmware-api-session-id:e594038d4c1023afe86b2c14b0b741f0'
List the Trusted Root
Certificates
This example lists the IDs of
all certificates present in the trusted root chain.
curl --insecure --request GET --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/ --header 'vmware-api-session-id: e594038d4c1023afe86b2c14b0b741f0'
Get Trusted Root
Certificate Information
This example retrieves
information about a trusted root certificate with ID
AFEA4C2155690543FB1EE30473DCF6B23094E383.
curl --insecure --request GET --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/AFEA4C2155690543FB1EE30473DCF6B23094E383 --header 'vmware-api-session-id: e594038d4c1023afe86b2c14b0b741f0'
Delete a Trusted Root
Certificate
This example deletes the
trusted root certificate with ID AFEA4C2155690543FB1EE30473DCF6B23094E383.
curl --insecure --request DELETE --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/AFEA4C2155690543FB1EE30473DCF6B23094E383 --header 'vmware-api-session-id: e594038d4c1023afe86b2c14b0b741f0'