cURL Examples of Certificate Management Operations
The following cURL command examples show the syntax for operations that you can use to manage TLS certificates and trusted root certificates.
Prerequisites
- Verify that the certificate management service is running on your vCenter Server instance.
- Verify that you have the
session ID that is required to invoke the API operations. You can obtain the
session ID by running the following command.
curl -u '[email protected]:<password>' -X POST -k https://<server>:443/rest/com/vmware/cis/session
Renew a Certificate
curl --insecure -H 'Content-Type:application/json' --request POST --data-ascii '{"duration":"730"}' --url https://<server>/rest/vcenter/certificate-management/vcenter/tls/?action=renew --header 'vmware-api-session-id:8ab92796a606801c233a2189a1e8f823'
Generate a CSR
This example generates a CSR and private key on the vCenter Server instance. The private key remains on the machine.
You can perform this operation as part of a use case scenario in which you want to replace a VMCA-issued TLS certificate with a TLS certificate issued by a custom Certificate Authority (CA). You must use the CSR and obtain a certificate from the external CA to replace the existing certificate. For details on the replacement operation, see Replace a Certificate.
curl --insecure -H 'Content-Type:application/json' --request POST --data-ascii '{"spec": {"key_size": "2048","common_name":"sc-rdops-vm05-dhcp-154-50.eng.vmware.com","country":"US","locality":"PA","state_or_province":"CA","organization":"VMware","organization_unit":"SSO","email_address":"[email protected]"} }' --url https://<server>/rest/vcenter/certificate-management/vcenter/tls-csr --header 'vmware-api-session-id:4916bc4a8d37d3742277d0e26ac28faa'
Replace a Certificate
This example replaces an existing TLS certificate with another certificate obtained from a CSR that you generated. You must provide the obtained certificate in PEM format in the input spec.
You can perform this operation as part of a use case scenario in which you want to replace a VMCA-issued TLS certificate with a TLS certificate issued by a custom Certificate Authority (CA). You must use the CSR and obtain a certificate from the external CA to replace the existing certificate. For details on the CSR generation operation, see Generate a CSR.
curl -i --insecure -H 'Content-Type:application/json' --request PUT --data-ascii '{"spec":{"cert":"-----BEGIN CERTIFICATE-----\nMIIEJTCCAw2gAwIBAgIJAM5BdOvJGi+MMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYD\nVQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ\nFgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExKTAnBgNV\nBAoMIHNjMS0xMC03OC0xMDYtMTY4LmVuZy52bXdhcmUuY29tMRswGQYDVQQLDBJW\nTXdhcmUgRW5naW5lZXJpbmcwHhcNMTkwOTEyMDkyNDIwWhcNMjAwNzA4MDkyNDIw\nWjBsMQswCQYDVQQGEwJJTjEMMAoGA1UECAwDQmdsMQwwCgYDVQQHDANOR0wxDDAK\nBgNVBAoMA3ZtdzEzMDEGA1UEAwwqc2MyLXJkb3BzLXZtMDctZGhjcC0yNDUtMjA0\nLmVuZy52bXdhcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n3o1uY1FRL0fJX9k4GnPhp5hIFvbHcYTU+WgPDDtboskcJwUSybOxLu6s2gRHjDH4\nx0VQQ2U9DtlIds62jJErOqhstSmip8SQmhrVa1eN9ORwFeFEjHrFuAAdhKQirWj7\nu93kFv3vyoEp6vf0ZrTVvK9P4MZ3xO8ZWed6EiU6ju+eNJvEd1lJ+3l0InvORFp0\nH/V7LvfwA1G0rwbCzKQ+VWWZsO4cLMAoXqReXN9E2q2CtpGPXUCA7SLBXasrQxda\nELPXSDn+Dnnql319GLGkiJDa8k1K6RqZ6knu1dwGvBNw5P6LWhsLqRz44RSr27Zw\npvarlVuVnab/5b6DfgHgiQIDAQABo4GNMIGKMBUGA1UdEQQOMAyCBHNjMi2HBAoB\nAQEwHwYDVR0jBBgwFoAUphwxwKuWlxqZgFdHYJLbyRrprB8wUAYIKwYBBQUHAQEE\nRDBCMEAGCCsGAQUFBzAChjRodHRwczovL3NjMS0xMC03OC0xMDYtMTY4LmVuZy52\nbXdhcmUuY29tL2FmZC92ZWNzL2NhMA0GCSqGSIb3DQEBCwUAA4IBAQAyydRgWRBf\n8hVkC89yE912kRqh9sQyN2VtnjEQ0el+HB9FAYlhlYgW4mFK+f50NliyiKsGiPT6\nvL/5Txub3CyLmMuzBgr2r8DnSiOntN9OJdF+FuFmGN6KvK9RvNpJwhtFjjVnDc45\nGYUyAhNpXvLec+DyAJDdqBtTDy9VqypPBHGhPoMNDjnHI+Zj7svS+duunGD+A9y6\n9+HJKyK+TnhlCDcms/kmwvUWjBt56p6OmPXGpXz8aUNe/byL59gqbgPBQoV1ASnu\nvJm5sXiehzwdYglnCIdbCebL7tdJRh8Qsv1mQ7gfuOrjFtfVfSAbIjUPRH5o4LHa\nOvCeaa6p+dsw\n-----END CERTIFICATE-----"}}' --url https://<server>/rest/vcenter/certificate-management/vcenter/tls/ --header 'vmware-api-session-id:4916bc4a8d37d3742277d0e26ac28faa'
Create and Add Trusted Root Certificates
This example creates two certificate chains and adds them to the trusted root chain.
curl --insecure -H 'Content-Type:application/json' --request POST --data-ascii '{ "spec" : { "cert_chain" : {"cert_chain": ["-----BEGIN CERTIFICATE-----\nMIIDwjCCAqqgAwIBAgIJAI1OflMjc0LfMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV\nBAYTAklOMQswCQYDVQQIDAJLQTEMMAoGA1UEBwwDQkxSMQ8wDQYDVQQKDAZWTXdh\ncmUxDDAKBgNVBAsMA1NTTzEMMAoGA1UEAwwDQ0ExMR8wHQYJKoZIhvcNAQkBFhBz\naWduMUB2bXdhcmUuY29tMB4XDTE5MDEwMjA2MTIyMloXDTI4MTIzMDA2MTIyMlow\ndjELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAktBMQwwCgYDVQQHDANCTFIxDzANBgNV\nBAoMBlZNd2FyZTEMMAoGA1UECwwDU1NPMQwwCgYDVQQDDANDQTExHzAdBgkqhkiG\n9w0BCQEWEHNpZ24xQHZtd2FyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQDHuDDoAyGj6FGLZOIxMEK7oO2LhbfGbIbBiXTR5WWSkTsmsxy0Vge5\nhbVEkGW2OjgIxvmqBC/nVeH1b4gTJAZFmJ6lrh6Ri8HC5cyIePVJkz/PR08SbKmy\nmagd02N6ZqBgMEr3eQ2NTtqUOutvphRT5f+fyGKL5uPjOrhNn6v8GDrIF4wUY6aV\nWYDG6Mcay/cv814PZoTIJa0juIEfJXzOO0gxzAY6Jwi6k3DmLkps7zFErRbWUwYR\niaa46LKRHRlX71h0gsWfx7TNdCvQ8emiPXsYsqUkOy9+MSfr3CsQcPzNy8qDbImt\ngK6z2T4vvV7r5Iir5srD7yyWm5rKmtFDAgMBAAGjUzBRMB0GA1UdDgQWBBSv6kwh\nVWkFQ/se4wRz3PayMJTjgzAfBgNVHSMEGDAWgBSv6kwhVWkFQ/se4wRz3PayMJTj\ngzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC2yEXM2fTCYRvh\noD40MrDLK/g+mKSixvsXtebTga47fHi8LxnT6KXGc44ZMT/HTSzwk2alYG8EXHK1\nFZeNNFnhYmS24DLgrCq+9p/yThotbfWe6vaUZ87jgbAP9HRAsq/9HYW3s0lUBD4i\ne/FZrBGRjgdtXVQ0tm5N6TVRQq2IwVPQ3niv36KLFu9MmAMhlIIZ3y8sX4Bha13q\nmhOCM74/qw4d88kGgq9lnebpwhmmXl5IOScZX39gJpsgpWQ4a1lhOTWWLT5NYu3z\nxiS9Jc1hr0PWtKE5eWSVu6mMmEx9Tqov/KKMRBCP/pp4aHyn0NlWFtHl7MtWrGC7\nohzPCShe\n-----END CERTIFICATE-----","-----BEGIN CERTIFICATE-----\nMIID5jCCAs6gAwIBAgIBCDANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJTjEL\nMAkGA1UECAwCS0ExDDAKBgNVBAcMA0JMUjEPMA0GA1UECgwGVk13YXJlMQwwCgYD\nVQQLDANTU08xDDAKBgNVBAMMA0NBMTEfMB0GCSqGSIb3DQEJARYQc2lnbjFAdm13\nYXJlLmNvbTAeFw0xOTAxMDIwNjE3MDZaFw0yNDA2MjQwNjE3MDZaMGgxCzAJBgNV\nBAYTAklOMQswCQYDVQQIDAJLQTEPMA0GA1UECgwGVk13YXJlMQwwCgYDVQQLDANT\nU08xDDAKBgNVBAMMA0NBMjEfMB0GCSqGSIb3DQEJARYQc2lnbjJAdm13YXJlLmNv\nbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3s5ycFPQmgffQmZKaE\nM/0ymZgh/Kz3txTmWpAiEPGpGdrulDfwubDEbOXfHtsWfcvj48iDa6Nn4g5bNrej\naMoBEIKd0WeV9fwnL/i2wYFiKKhLYiWaHDm5BT79YVaBLEMK6BL/9wc2FoUI2vEf\nQyVSuDuKWSrwx3gB2IFC2q7BpzT3kgq1HmWKVA52nFpMgbe1zlRy9sV08bBTybMO\nzm/Z0c4+a5Y0P1fO6ThiCF+92s0jMow0Bm96qN3nQm6lMgbcY+5um7RgOuBY4iSF\nKTblVDMS/rZAQkPwcP/E8AxcywRazx46awCfe3NAasiVBuI/iADc63SmYs+z+0cS\n8qECAwEAAaOBjDCBiTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAsBglghkgB\nhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE\nFDexYpQDPTkuYf9M47ILnGOg5Fh/MB8GA1UdIwQYMBaAFK/qTCFVaQVD+x7jBHPc\n9rIwlOODMA0GCSqGSIb3DQEBCwUAA4IBAQAMKy6fM7ldYf/IlMSR/0zH4gTauR8Z\nERXkRD65SXa9YgOkp/U59mhlGsfxeAze47jXjD7GNTNpLogYFQkXP9yrIpyYKjRP\n0I8zo8faY/9hEJn2pHZTaYKgZICw0rlfCwGF/so1cxnkocoIsmA56lMPT5xcmyFc\nkvwEBgTb8WgXUTnR0MA20puGI8aaXsAHOwQYM8nexvrfSbJADYJtcG73YqjswNYk\niloSd/uslyhmvb1HVyix794SxAIEybs177ijKOxdicq3XogaeGhOIymvDcCv/55J\n5FgJY341cCZmESPyC1GkuX52OSoZartB1jhSd5cKKlaLobFbTTajs9oa\n-----END CERTIFICATE-----"]}}}' --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/ --header 'vmware-api-session-id:e594038d4c1023afe86b2c14b0b741f0'
List the Trusted Root Certificates
This example lists the IDs of all certificates present in the trusted root chain.
curl --insecure --request GET --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/ --header 'vmware-api-session-id: e594038d4c1023afe86b2c14b0b741f0'
Get Trusted Root Certificate Information
This example retrieves information about a trusted root certificate with ID AFEA4C2155690543FB1EE30473DCF6B23094E383.
curl --insecure --request GET --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/AFEA4C2155690543FB1EE30473DCF6B23094E383 --header 'vmware-api-session-id: e594038d4c1023afe86b2c14b0b741f0'
Delete a Trusted Root Certificate
This example deletes the trusted root certificate with ID AFEA4C2155690543FB1EE30473DCF6B23094E383.
curl --insecure --request DELETE --url https://<server>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/AFEA4C2155690543FB1EE30473DCF6B23094E383 --header 'vmware-api-session-id: e594038d4c1023afe86b2c14b0b741f0'