Certificate Management Operations
Use the
vSphere
Automation
API to
manage trusted root certificate chains, VMware Certificate Authority
(VMCA) root certificates, machine SSL (TLS) certificates, and Security
Token Service (STS) signing certificates.With the
vSphere
Automation
API, you can refresh the VMCA-issued
certificates but also add external and third-party certificates to your vSphere
environment. For more information on vSphere certificate management, see the vSphere Authentication
guide.Certificate Management Interfaces
You can use the following interfaces to manage certificates with the
vSphere
Automation
API:- Trusted Root Chains
- VMCA Root
- TLS CSR
- TLS
- Signing Certificate
Certificate Management Operations
You can use the operations listed in the following table to manage certificates.
Operation | Interface | HTTP Request | Description | Introduced in |
|---|---|---|---|---|
List trusted root certificates | Trusted Root Chains | GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains | You can retrieve the identifiers of all trusted root certificates that are present in vCenter Server . | vSphere 6.7 U2 |
Get trusted root certificate information | Trusted Root Chains | GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains/ <chain> | You can retrieve a root certificate chain by providing its identifier. You can retrieve the identifier by using the List trusted root certificates operation. | vSphere 6.7 U2 |
Add a trusted root certificate | Trusted Root Chains | POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains | Use this operation to add a trusted root certificate chain to your vCenter Server system. | vSphere 6.7 U2 |
Delete a trusted root certificate | Trusted Root Chains | DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains/ <chain> | You can delete a root certificate by providing its unique identifier. You can retrieve the identifier by using the List trusted root certificates operation. | vSphere 6.7 U2 |
Replace the VMCA root certificate | VMCA Root | POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/vmca-root | You can replace the VMCA root certificate with a new VMCA-signed certificate. The operation triggers a restart of the services that are using this certificate. | vSphere 7.0 |
Generate a CSR | TLS CSR | POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/tls-csr | You can generate a CSR and use it to issue a custom certificate. If the operation is successful, you receive a CSR in PEM format. | vSphere 6.7 U2 |
Get the Machine SSL certificate | TLS | GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/tls | You can retrieve the Machine SSL certificate of your vCenter Server system. | vSphere 6.7 U2 |
Renew the Machine SSL certificate | TLS | POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/tls?action=renew | You can renew the validity of the machine SSL certificate for a specified period in days. The duration must be less than or equal to 730 days. | vSphere 6.7 U2 |
Replace the Machine SSL certificate with a custom signed certificate | TLS | PUT https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/tls | You can replace the vCenter Server Machine SSL certificate with a custom certificate signed by an external Certificate Authority (CA). | vSphere 6.7 U2 |
Replace the Machine SSL certificate with a VMCA-signed certificate | TLS | POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/tls?action=replace-vmca-signed | You can replace the vCenter Server Machine SSL certificate with a VMCA-signed certificate. | vSphere 7.0 |
Retrieve the STS signing certificate chains | Signing Certificate | GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/signing-certificate | You can retrieve the STS signing certificate chains, which are used for validating tokens signed by vCenter Server . | vSphere 7.0 U3 |
Replace the STS signing certificate | Signing Certificate | PUT https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/signing-certificate | You can replace the current STS signing certificate with a certificate of your choice. The accepted file format is PEM. | vSphere 7.0 U3 |
Refresh the STS signing certificate | Signing Certificate | POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/signing-certificate?action=refresh | You can replace the current STS signing certificate with a new VMCA-signed certificate. The newly-generated certificate is set as the active STS signing certificate for the vCenter Server token service. | vSphere 7.0 U3 |