Managing Certificates
Starting with vSphere 6.7 Update 2, you
can use the vSphere
Automation API to manage certificates in your vSphere
environment. You can not only refresh default certificates that are issued by the VMware
Certificate Authority (VMCA) but also add third-party or custom-made certificates to your
environment.
Certificate Management Operations vSphere Automation API to manage trusted root certificate chains, VMware Certificate Authority (VMCA) root certificates, machine SSL (TLS) certificates, and Security Token Service (STS) signing certificates. You can refresh the VMCA-issued certificates but also add external and third-party certificates to your vSphere environment. For more information on vSphere certificate management, see the vSphere Authentication guide.Add a Root Certificate to vCenter Server TrustedRootChains interface to add, delete and read trusted root certificate chains. If you want to use an enterprise or third-party certificate authority (CA) for certificate management of your vSphere environment, you must first establish trust with that CA. You can do this by adding the root certificate of the external CA to the trusted root store of your vCenter Server system.Delete a Root Certificate from vCenter Server TrustedRootChains interface to add, delete and read trusted root certificate chains. This use case demonstrates how to delete a root certificate or certificate chain from the trusted root store of your vCenter Server system.Change the Machine SSL Certificate of vCenter Server vCenter Server system by using the TLS and the TLS CSR interfaces of the vSphere Automation API.Refresh the vCenter Server STS Signing Certificate with a VMCA-Issued Certificate vCenter Server Security Token Service (STS) signing certificate with a new VMCA-issued certificate by using the SigningCertificate interface. The STS is an internal entity that issues and verifies tokens so that vSphere services can communicate with and trust each other.Set a Custom STS Signing Certificate to vCenter Server vCenter Server STS signing certificate with a custom generated or third-party certificate by using the SigningCertificate interface.