vSphere API Methods for
KMS Management
Cryptographic key management interfaces are
defined in the following hierarchy.
- CryptoManager – managed object, parent of CryptoManagerKmip. CryptoManager defines methods that are covered in vSphere API Methods for Cryptographic Operations.
- CryptoManagerKmip – managed object for handing the cryptographic keys.
- CertificateInfo – basic information of a certificate.
- ClusterStatus – status of a KMS cluster.
- ServerCertInfo – information about the KMS certificate.
- ServerStatus – status of a KMS.
CryptoManagerKmip defines the following methods: - StringgenerateClientCsr(cluster)– generate a certificate signing request with its private key.
- StringgenerateSelfSignedClientCert(cluster)– generate self-signed client certificate with its private key.
- KmipClusterInfo[]kmipServers()– get a list of registered KMS, grouped by clusters.
- KmipClusterInfo[]listKmipServers(limit)– get a list of registered KMS.
- voidmarkDefault(clusterId)– set the default KMS cluster.
- voidregisterKmipServer(server)– register a KMS.
- voidremoveKmipServer(clusterId,serverName)– remove a KMS, even if in use.
- StringretrieveClientCert(cluster)– get the client certificate of the KMS cluster.
- StringretrieveClientCsr(cluster)– get the generated client certificate signing request.
- ServerCertInforetrieveKmipServerCert(keyProvider,server)– get the server certificate.
- ClusterStatus[]retrieveKmipServersStatus(clusters[])– get status of the KMS instances.
- StringretrieveSelfSignedClientCert(cluster)– get generated self signed client certificate.
- voidupdateKmipServer(server)– update a KMS.
- voidupdateKmsSignedCsrClientCert(cluster,certificate)– Set KMS signed certificate as the client certificate for a KMS cluster.
- voidupdateSelfSignedClientCert(cluster,certificate)– set a self-signed certificate as the client certificate for the KMS cluster.
- voiduploadClientCert(cluster,certificate, privateKey)– set a client certificate with private key for the KMS cluster.
- voiduploadKmipServerCert(cluster,certificate)– upload a server certificate.
- CryptoKeyResultgenerateKey(keyProvider)– generate a new encryption key. (ThegenerateKeymethod is out of alphabetic order because it is called after the others.)
Certificate Management
Administrators can use the vSphere Client
to manage certificates. Some organizations require a third party certificate
externally but use VMware Certificate Authority (VMCA) internally.
CertificateManager
is the managed object to reach a
certificate authority and refresh or revoke certificates. It includes these
methods:- refreshCACertificatesAndCRLs– Fetch certificates and CSR (revocation lists) from trusted certificate authorities and push them to hosts.
- refreshCertificates– Get CSRs and certificates signed by VMCA and push them down to hosts.
- revokeCertificates– Revokes certificates of specified hosts.