Certificate Management Operations
Use the
vSphere
Automation
API to
manage trusted root certificate chains, VMware Certificate Authority
(VMCA) root certificates, machine SSL (TLS) certificates, and Security
Token Service (STS) signing certificates.With the
vSphere
Automation
API, you can refresh the
VMCA-issued certificates but also add external and
third-party certificates to your vSphere
environment. For more information on vSphere
certificate management, see the vSphere Authentication
guide.Location of the Certificate Management
Services
You can find the vSphere certificate management
services for your automation in the
com.vmware.vcenter.certificate_management.vcenter
Java package and the
com.vmware.vcenter.certificate_management.vcenter_client
Python module.Certificate Management Interfaces
You can use the following interfaces to manage certificates with the
vSphere
Automation
API:- TrustedRootChains
- VMCARoot
- TLSCSR
- TLS
- SigningCertificate
Certificate Management Operations
You can use the operations listed in the following
table to manage certificates.
Operation | Interface | Java / Python
Operation | Description | Introduced
in | |
---|---|---|---|---|---|
List trusted root
certificates | TrustedRootChains
| list()
| You can retrieve the identifiers of all
trusted root certificates that are present in
vCenter Server . | vSphere 6.7
U2 | |
Get trusted root certificate
information | TrustedRootChains
| get(chain)
| You can retrieve a root certificate chain
by providing its identifier. You can retrieve the
identifier by using the List trusted root
certificates operation. | vSphere 6.7
U2 | |
Add a trusted root
certificate | TrustedRootChains
| create(spec)
| You can add a trusted root certificate
chain to your vCenter Server system. | vSphere 6.7
U2 | |
Delete a trusted root
certificate | TrustedRootChains
| delete(chain)
| You can delete a root certificate by
providing its unique identifier. You can retrieve
the identifier by using the List trusted root
certificates operation. | vSphere 6.7
U2 | |
Replace the VMCA root
certificate | VMCARoot
| create(spec)
| You can replace the VMCA root certificate
with a new VMCA-signed certificate. The operation
triggers a restart of the services that are using
this certificate. | vSphere
7.0 | |
Generate a CSR | TLSCSR
| create(spec)
| You can generate a CSR and use it to issue
a custom certificate from the given spec. | vSphere 6.7
U2 | |
Get the Machine SSL
certificate | TLS
| get()
| You can retrieve the machine SSL
certificate of your vCenter Server system. | vSphere 6.7
U2 | |
Renew the Machine SSL
certificate | TLS
| renew(duration)
| You can renew the validity of the machine
SSL certificate for a specified period in days.
The duration must be less than or equal to 730
days. If you pass
null /None ,
the default duration of 730 days is
applied. | vSphere 6.7
U2 | |
Replace the Machine SSL
certificate with a custom signed
certificate | TLS
| set(spec)
| You can replace the vCenter Server
machine SSL certificate with a custom certificate
signed by an external or a third-party Certificate
Authority (CA). | vSphere 6.7
U2 | |
Replace the Machine SSL
certificate with a VMCA-signed certificate | TLS
| replaceVmcaSigned(spec)
| You can replace the vCenter Server
machine SSL certificate with a VMCA-signed
certificate. | vSphere
7.0 | |
Retrieve the STS signing
certificate chains | SigningCertificate
| get()
| You can retrieve the STS signing
certificate chains, which are used for validating
tokens signed by vCenter Server . | vSphere 7.0
U3 | |
Replace the STS signing
certificate | SigningCertificate
| set(spec)
| You can replace the current STS signing
certificate with a certificate of your choice. The
accepted file format is PEM. | vSphere 7.0
U3 | |
Refresh the STS signing
certificate | SigningCertificate
| refresh(force)
| You can replace the current STS signing
certificate with a new VMCA-signed certificate.
The newly-generated certificate is set as the
active STS signing certificate for the
vCenter Server token service. You can pass
true as a value to the
force parameter for
environments that might otherwise prevent the
operation from succeeding. | vSphere 7.0
U3 |