Managing Certificates

You can use the vSphere Automation API to manage the life cycle of certificates.

The API provides operations for generating a certificate signing request (CSR), retrieving, renewing, or replacing TLS certificates, and creating, retrieving, or deleting trusted root certificate chains. The TLS certificates and trusted root chain certificates are maintained in the VMware Endpoint Certificate Store (VECS) and provide the means for services inside vCenter Server to communicate in a secure manner.

Table 1. User Operations
Operation Description
Generate a CSR You can generate a CSR by providing a valid specification. If the operation is successful, you receive a CSR in PEM format.
Get TLS certificates You can retrieve existing TLS certificates and additional certificate information such as serial number, issuer, validity, thumbprint, and so on.
Replace TLS certificates You can replace the existing TLS certificate with another certificate that you specify.
Renew TLS certificates You can renew the validity of an existing TLS certificate for a specified period. The duration should be less than or equal to 730 days. If you do not specify the duration, the default value of 730 days is applied.
Create a trusted root certificate chain You can create a trusted root certificate chain by providing a valid specification. If the operation is successful, you receive a unique identifier of the last certificate present in the root chain.
List trusted root certificates You can retrieve the identifiers of all certificates present in the trusted root chain.
Get trusted root certificate information You can retrieve the PEM certificate by providing the identifier of the certificate. The certificate identifier can be retrieved by using the List trusted root certificates operation.
Delete a trusted root certificate You can delete a specific certificate by providing the identifier. The certificate identifier can be retrieved by using the List trusted root certificates operation.