Certificate Management Operations

Use the
vSphere Automation
API to manage trusted root certificate chains, VMware Certificate Authority (VMCA) root certificates, machine SSL (TLS) certificates, and Security Token Service (STS) signing certificates.
With the
vSphere Automation
API, you can refresh the VMCA-issued certificates but also add external and third-party certificates to your vSphere environment. For more information on vSphere certificate management, see the
vSphere Authentication
guide.

Location of the Certificate Management Services

You can find the vSphere certificate management services for your automation in the
com.vmware.vcenter.certificate_management.vcenter
Java package and the
com.vmware.vcenter.certificate_management.vcenter_client
Python module.

Certificate Management Interfaces

You can use the following interfaces to manage certificates with the
vSphere Automation
API:
  • TrustedRootChains
  • VMCARoot
  • TLSCSR
  • TLS
  • SigningCertificate

Certificate Management Operations

You can use the operations listed in the following table to manage certificates.
Certificate Management Operations
Operation
Interface
Java / Python Operation
Description
Introduced in
List trusted root certificates
TrustedRootChains
list()
You can retrieve the identifiers of all trusted root certificates that are present in
vCenter Server
.
vSphere 6.7 U2
Get trusted root certificate information
TrustedRootChains
get(chain)
You can retrieve a root certificate chain by providing its identifier. You can retrieve the identifier by using the List trusted root certificates operation.
vSphere 6.7 U2
Add a trusted root certificate
TrustedRootChains
create(spec)
You can add a trusted root certificate chain to your
vCenter Server
system.
vSphere 6.7 U2
Delete a trusted root certificate
TrustedRootChains
delete(chain)
You can delete a root certificate by providing its unique identifier. You can retrieve the identifier by using the List trusted root certificates operation.
vSphere 6.7 U2
Replace the VMCA root certificate
VMCARoot
create(spec)
You can replace the VMCA root certificate with a new VMCA-signed certificate. The operation triggers a restart of the services that are using this certificate.
vSphere 7.0
Generate a CSR
TLSCSR
create(spec)
You can generate a CSR and use it to issue a custom certificate from the given spec.
vSphere 6.7 U2
Get the Machine SSL certificate
TLS
get()
You can retrieve the machine SSL certificate of your
vCenter Server
system.
vSphere 6.7 U2
Renew the Machine SSL certificate
TLS
renew(duration)
You can renew the validity of the machine SSL certificate for a specified period in days. The duration must be less than or equal to 730 days. If you pass
null
/
None
, the default duration of 730 days is applied.
vSphere 6.7 U2
Replace the Machine SSL certificate with a custom signed certificate
TLS
set(spec)
You can replace the
vCenter Server
machine SSL certificate with a custom certificate signed by an external or a third-party Certificate Authority (CA).
vSphere 6.7 U2
Replace the Machine SSL certificate with a VMCA-signed certificate
TLS
replaceVmcaSigned(spec)
You can replace the
vCenter Server
machine SSL certificate with a VMCA-signed certificate.
vSphere 7.0
Retrieve the STS signing certificate chains
SigningCertificate
get()
You can retrieve the STS signing certificate chains, which are used for validating tokens signed by
vCenter Server
.
vSphere 7.0 U3
Replace the STS signing certificate
SigningCertificate
set(spec)
You can replace the current STS signing certificate with a certificate of your choice. The accepted file format is PEM.
vSphere 7.0 U3
Refresh the STS signing certificate
SigningCertificate
refresh(force)
You can replace the current STS signing certificate with a new VMCA-signed certificate. The newly-generated certificate is set as the active STS signing certificate for the
vCenter Server
token service. You can pass
true
as a value to the
force
parameter for environments that might otherwise prevent the operation from succeeding.
vSphere 7.0 U3