VMware vSphere SDKs and Tools 8.0

8.0 7.0 6.7 6.5

Establish Trust Between Key Provider and Key Server
Last Updated December 16, 2024

You can use
HTTP requests
 to perform trust management operations.
  • Verify that you have access to a working
    vSphere Trust Authority
     environment.
  • Verify that you have Trusted Infrastructure administrative privileges.
You can list and update server certificates, retrieve, generate, and update client certificates, generate a CSR, and set the key server credential.
Some operations require you to specify parameters in the body of the HTTP request according to your
vSphere Trust Authority
 environment. For details about the syntax of each HTTP request body, see the
API Reference
 documentation.
  1. List the remote server certificates on the configured key servers to verify the trusted key servers.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/current?server_names=<value-1>&server_names=<value-2>&trusted=<true>&vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  2. Retrieve the list of trusted server certificates.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/trusted?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  3. Update the trusted server certificates.
    This operation overwrites the existing list of trusted certificates.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/trusted?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  4. Retrieve the existing client certificate.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
    If the operation is successful, you receive the client certificate in PEM format.
  5. Generate a new self-signed client certificate, used to establish a secure connection to the key server.
    This operation overwrites the existing client certificate.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
    If the operation is successful, you can provide the newly generated self-signed client certificate to the key server to establish trust with the Key Provider.
  6. Update the client certificate to specify what Key Provider should use to authenticate with the key server.
    If a client certificate exists, this operation overwrites it.
    PATCH https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  7. Generate a certificate signing request (CSR) for the client certificate.
    If a CSR exists, this operation overwrites it.
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate/csr?vmw-task=true
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
    If the operation is successful, you receive the client CSR in PEM format and the host ID which issued it. The generated CSR can later be signed by a third party. The signed CSR should be replicated and set on each host.
  8. Set the key server credential for key servers that require a password.
    PUT https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/credential?vmw-task=true

"secret string"
    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>

Content feedback and comments