Customers have two primary methods of managing TLS certificates for their ESXi hosts, they can either use the built-in VMware Certificate Authority (VMCA) which is part of vCenter Server or Custom CA Certificates. I will not go into the gory details, but you can read more about the options here in our documentation.
A question that I had received recently was whether you can determine the type of certificate an ESXi host was provisioned with and whether this could be programmatically retrieved using the vSphere API? The answer is yes. In vSphere 6.0, we introduced a CertificateInfo property which contains a number of fields including status, issuer, expiry and subject details and by inspecting either the issuer or subject property, you can determine the type of certificate on the ESXi host.
Here is a screenshot of the data using the vSphere MOB for an ESXi host that has VMCA-based certificate:
Here is a screenshot of the data using the vSphere MOB for an ESXi host that has custom CA certificate:
As you can see, for VMCA-based certificate the issuer's OU will have value of "VMware Engineering" and subject's emailAddress will have value of "*protected email*".
In addition, you might also be interested in whether your vCenter Server is currently configured for VMCA or custom certificates. Using the vSphere UI, you can easily check this by looking at the vCenter Server Advanced Setting vpxd.certmgmt.mode which can have a value of vmca, custom or thumbprint. For more information on how to change this value, you can take a look at the documentation here.
Now that we know where to find this information, lets put all this together into a nice automated script that we can use! I have created a PowerShell function called Get-VSphereCertificateDetails which can be downloaded from here. The function will inspect both your vCenter Server (also supports directly connecting to an ESXi host) as well as all ESXi hosts managed by the vCenter Server. The output will provide the certificate mode of your vCenter Server as well as details for each of the ESXi hosts. Another benefit of this script is to be able to retrieve the current certificate expiry of all your ESXi hosts, which was not easy to do in the past as described in this article here.
Here is a sample output for an environment that is using VMCA based certificate:
Here is a sample output for an environment that is going through a custom certificate conversion:
Chidanand says
hi William,
I am getting the below error when i run this
Get-View : Cannot validate argument on parameter 'VIObject'. The argument is null or empty. Provide an argument that is not null or empty, and then try the
command again.
At C:\Get-VSphereCertificateDetails.ps1:34 char:33
+ ... rtConfig = (Get-View $vmhost.ConfigManager.CertificateManager).Certif ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-View], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.DotNetInterop.GetVIView
If you can help direct me I can check on it.
Thanks.
bla says
does not work, creates empty output
PonKi says
Hello, Is it possible to get details from esxi which are member of a thumbprint mode vCenter Server?