Managing Certificates
You can use the vSphere Automation API to manage the life cycle of certificates.
The API provides operations for managing TLS (MACHINE_SSL_CERT) certificates, trusted root certificate chains, and VMware Certificate Authority (VMCA) root certificates. The tls_csr interface provides an operation for generating a certificate signing request (CSR). The tls interface provides operations for retrieving, renewing, or replacing the TLS certificate. The trusted_root_chains interface provides operations for creating, retrieving, or deleting trusted root certificate chains. The vmca_root interface provides an operation for replacing the VMCA root certificate. The TLS certificate and trusted root chain certificates are maintained in the VMware Endpoint Certificate Store (VECS) and provide the means for services inside vCenter Server to communicate in a secure manner.
| Operation | Description |
|---|---|
| Generate a CSR | You can generate a CSR by providing a valid specification. If the operation is successful, you receive a CSR in PEM format. You can use the CSR only to replace the TLS certificate, because the private key is stored in the VECS. |
| Get TLS certificate | You can retrieve the TLS certificate which contains information such as serial number, issuer, validity, thumbprint, and so on. |
| Renew TLS certificate | You can renew the validity of the TLS certificate for a specified period. The duration should be less than or equal to 730 days. If you do not specify the duration, the default value of 730 days is applied. |
| Replace TLS certificate with a custom signed certificate | You can replace the TLS certificate with a third-party or custom Certificate Authority (CA) signed certificate. |
| Replace TLS certificate with a VMCA-signed certificate | You can replace the TLS certificate with a VMCA-signed certificate. |
| Create a trusted root certificate chain | You can publish a trusted root certificate chain to vCenter Server by providing a valid specification. If the operation is successful, you receive a unique identifier of the last certificate present in the root chain. |
| List trusted root certificates | You can retrieve the identifiers of all trusted root certificates that are published to vCenter Server. |
| Get trusted root certificate information | You can retrieve the PEM certificate by providing the identifier of the certificate. The certificate identifier can be retrieved by using the List trusted root certificates operation. |
| Delete a trusted root certificate | You can delete a specific certificate by providing the identifier. The certificate identifier can be retrieved by using the List trusted root certificates operation. |
| Replace the VMCA root certificate | You can reset the VMCA root certificate by generating a new one. When you reset the VMCA root certificate, the TLS and solution user certificates are automatically regenerated by using the new VMCA certificate. |