Add a Root Certificate to
vCenter Server

You can use the
TrustedRootChains
interface to add, delete and read trusted root certificate chains.
  • Verify that the root certificate or certificate chain you want to add is available on your machine.
  • Verify that you have the required privileges:
    CertificateManagement
    Manage
    and
    CertificateManagement
    Administer
    .
If you want to use an enterprise or third-party certificate authority (CA) for certificate management of your vSphere environment, you must first establish trust with that CA. You can do this by adding the root certificate of the external CA to the trusted root store of your
vCenter Server
system.
Adding a root certificate or certificate chain to the
vCenter Server
trusted certificate store establishes trust with an enterprise or third-party certificate authority. You can add a root certificate to
vCenter Server
as a prerequisite for other scenarios such as setting a third-party or enterprise machine SSL certificate.
  1. Retrieve the root certificates on your
    vCenter Server
    system by calling the
    list
    function of the
    TrustedRootChains
    interface.
  2. Create a
    X509CertChain
    instance with the root certificate you want to add.
  3. Create a specification with the new
    X509CertChain
    instance.
  4. To add the root certificate, call the
    create
    function of the
    TrustedRootChains
    interface.
If the operation is successful, the system returns the unique identifier of the trusted root certificate you added.
Python
This example shows how to add a root certificate or certificate chain to your
vCenter Server
system. The example is based on the code in the
trusted_root_chains_create.py
sample file.
For related code samples, see the
vsphere-automation-sdk-python
VMware repository at GitHub.
""" Description: Demonstrates the import of the TRUSTED ROOT CHAIN into vCenter Sample Prerequisites: - The user invoking the API should have the CertificateManagement.Manage or the CertificateManagement.Administer privilege """ parser = sample_cli.build_arg_parser() parser.add_argument('--certchain', required=True, help='The certificate chain to be imported into vCenter.') args = sample_util.process_cli_args(parser.parse_args()) session = requests.session() session.verify = False if args.skipverification else True # Login to vCenter vsphere_client = create_vsphere_client(server=args.server, username=args.username, password=args.password, session=session) cert_chain = args.certchain.encode(encoding='utf-8').decode('unicode_escape').split(',') """ Creation of the spec for input to the API """ x509_cert_chain = X509CertChain(cert_chain=cert_chain) cert_chain = TrustedRootChains.CreateSpec(cert_chain=x509_cert_chain) print('The alias of the certificate chain successfully imported into vCenter listed below ') print(vsphere_client.vcenter.certificate_management.vcenter.TrustedRootChains.create(cert_chain))