vSphere API Methods for KMS Management

Cryptographic key management interfaces are defined in the following hierarchy.
  • CryptoManager – managed object, parent of CryptoManagerKmip. CryptoManager defines methods that are covered in vSphere API Methods for Cryptographic Operations.
    • CryptoManagerKmip – managed object for handing the cryptographic keys.
      • CertificateInfo – basic information of a certificate.
      • ClusterStatus – status of a KMS cluster.
      • ServerCertInfo – information about the KMS certificate.
      • ServerStatus – status of a KMS.
      CryptoManagerKmip defines the following methods:
    • String
      generateClientCsr
      (cluster)
      – generate a certificate signing request with its private key.
    • String
      generateSelfSignedClientCert
      (cluster)
      – generate self-signed client certificate with its private key.
    • KmipClusterInfo[]
      kmipServers
      ()
      – get a list of registered KMS, grouped by clusters.
    • KmipClusterInfo[]
      listKmipServers
      (limit)
      – get a list of registered KMS.
    • void
      markDefault
      (clusterId)
      – set the default KMS cluster.
    • void
      registerKmipServer
      (server)
      – register a KMS.
    • void
      removeKmipServer
      (clusterId,
      serverName)
      – remove a KMS, even if in use.
    • String
      retrieveClientCert
      (cluster)
      – get the client certificate of the KMS cluster.
    • String
      retrieveClientCsr
      (cluster)
      – get the generated client certificate signing request.
    • ServerCertInfo
      retrieveKmipServerCert
      (keyProvider,
      server)
      – get the server certificate.
    • ClusterStatus[]
      retrieveKmipServersStatus
      (clusters[])
      – get status of the KMS instances.
    • String
      retrieveSelfSignedClientCert
      (cluster)
      – get generated self signed client certificate.
    • void
      updateKmipServer
      (server)
      – update a KMS.
    • void
      updateKmsSignedCsrClientCert
      (cluster,
      certificate)
      – Set KMS signed certificate as the client certificate for a KMS cluster.
    • void
      updateSelfSignedClientCert
      (cluster,
      certificate)
      – set a self-signed certificate as the client certificate for the KMS cluster.
    • void
      uploadClientCert
      (cluster,
      certificate, privateKey)
      – set a client certificate with private key for the KMS cluster.
    • void
      uploadKmipServerCert
      (cluster,
      certificate)
      – upload a server certificate.
    • CryptoKeyResult
      generateKey
      (keyProvider)
      – generate a new encryption key. (The
      generateKey
      method is out of alphabetic order because it is called after the others.)

Certificate Management

Administrators can use the vSphere Client to manage certificates. Some organizations require a third party certificate externally but use VMware Certificate Authority (VMCA) internally.
CertificateManager
is the managed object to reach a certificate authority and refresh or revoke certificates. It includes these methods:
  • refreshCACertificatesAndCRLs
    – Fetch certificates and CSR (revocation lists) from trusted certificate authorities and push them to hosts.
  • refreshCertificates
    – Get CSRs and certificates signed by VMCA and push them down to hosts.
  • revokeCertificates
    – Revokes certificates of specified hosts.