Configure Trusted TPMs of Attested
ESXi
Hosts on a Cluster Level

You can use
HTTP requests
to manage remote attestation configuration for TPM trust.
  • Verify that you have access to a working
    vSphere Trust Authority
    environment.
  • Verify that you have Trusted Infrastructure administrative privileges.
You can add, list, remove, and retrieve details about TPM CA certificates and TPM endorsement keys. You can also set and retrieve TPM 2.0 attestation settings.
Some operations require you to specify parameters in the body of the HTTP request according to your
vSphere Trust Authority
environment. For details about the syntax of each HTTP request body, see the
API Reference
documentation.
  1. Add a new TPM CA certificate to a Trusted Cluster to specify a trusted platform OEM.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/ca-certificates?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  2. Retrieve a list of configured TPM CA certificates on a Trusted Cluster to identify the trusted platform OEMs.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/ca-certificates?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  3. Remove a TPM CA certificate from a Trusted Cluster because a platform OEM is no longer trusted.
    DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/ca-certificates/<
    name
    >?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  4. Retrieve details about a specific TPM CA certificate on a Trusted Cluster to get more information about the trusted platform OEM.
    GET https://<vcenter_ip_address_or_fqdn>//api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/ca-certificates/<
    name
    >?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  5. Add a new TPM endorsement key to a Trusted Cluster to specify a trusted
    ESXi
    host.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/endorsement-keys?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  6. Retrieve a list of configured TPM endorsement keys in a Trusted Cluster to identify the trusted
    ESXi
    hosts.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/endorsement-keys?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  7. Remove a TPM endorsement key from a Trusted Cluster because an
    ESXi
    host is no longer trusted.
    DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/endorsement-keys/<
    name
    >?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  8. Retrieve details about a specific TPM endorsement key on a Trusted Cluster to get more information about the trusted
    ESXi
    host.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/endorsement-keys/<
    name
    >?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  9. Set the TPM 2.0 attestation settings by specifying that TPM endorsement keys on a Trusted Cluster do not need to be signed because the trusted OEM does not sign endorsement keys.
    PATCH https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/settings?vmw-task=true { "require_endorsement_keys" : false, "require_certificate_validation" : true }
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >
  10. Determine the TPM 2.0 attestation settings in a Trusted Cluster.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<
    cluster
    >/attestation/tpm2/settings?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<
    task_ID
    >