Establish Trust Between Key Provider and Key Server
You can use
HTTP requests
to perform trust management
operations.- Verify that you have access to a workingvSphere Trust Authorityenvironment.
- Verify that you have Trusted Infrastructure administrative privileges.
You can list and update server certificates,
retrieve, generate, and update client
certificates, generate a CSR, and set the key
server credential.
Some operations
require you to specify parameters in the body of
the HTTP request according to your
vSphere Trust Authority
environment. For details
about the syntax of each HTTP request body, see
the API
Reference
documentation.- List the remote server certificates on the configured key servers to verify the trusted key servers.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/current?server_names=<value-1>&server_names=<value-2>&trusted=<true>&vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Retrieve the list of trusted server certificates.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/trusted?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Update the trusted server certificates.This operation overwrites the existing list of trusted certificates.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/trusted?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Retrieve the existing client certificate.GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>If the operation is successful, you receive the client certificate in PEM format.
- Generate a new self-signed client certificate, used to establish a secure connection to the key server.This operation overwrites the existing client certificate.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>If the operation is successful, you can provide the newly generated self-signed client certificate to the key server to establish trust with the Key Provider.
- Update the client certificate to specify what Key Provider should use to authenticate with the key server.If a client certificate exists, this operation overwrites it.PATCH https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
- Generate a certificate signing request (CSR) for the client certificate.If a CSR exists, this operation overwrites it.POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate/csr?vmw-task=trueYou receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>If the operation is successful, you receive the client CSR in PEM format and the host ID which issued it. The generated CSR can later be signed by a third party. The signed CSR should be replicated and set on each host.
- Set the key server credential for key servers that require a password.PUT https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/credential?vmw-task=true "secret string"You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>