WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

10.23.2018 by William Lam // 3 Comments

Customers have two primary methods of managing TLS certificates for their ESXi hosts, they can either use the built-in VMware Certificate Authority (VMCA) which is part of vCenter Server or Custom CA Certificates. I will not go into the gory details, but you can read more about the options here in our documentation.

A question that I had received recently was whether you can determine the type of certificate an ESXi host was provisioned with and whether this could be programmatically retrieved using the vSphere API? The answer is yes. In vSphere 6.0, we introduced a CertificateInfo property which contains a number of fields including status, issuer, expiry and subject details and by inspecting either the issuer or subject property, you can determine the type of certificate on the ESXi host.

Here is a screenshot of the data using the vSphere MOB for an ESXi host that has VMCA-based certificate:


Here is a screenshot of the data using the vSphere MOB for an ESXi host that has custom CA certificate:


As you can see, for VMCA-based certificate the issuer's OU will have value of "VMware Engineering" and subject's emailAddress will have value of "*protected email*".

In addition, you might also be interested in whether your vCenter Server is currently configured for VMCA or custom certificates. Using the vSphere UI, you can easily check this by looking at the vCenter Server Advanced Setting vpxd.certmgmt.mode which can have a value of vmca, custom or thumbprint. For more information on how to change this value, you can take a look at the documentation here.


Now that we know where to find this information, lets put all this together into a nice automated script that we can use! I have created a PowerShell function called Get-VSphereCertificateDetails which can be downloaded from here. The function will inspect both your vCenter Server (also supports directly connecting to an ESXi host) as well as all ESXi hosts managed by the vCenter Server. The output will provide the certificate mode of your vCenter Server as well as details for each of the ESXi hosts. Another benefit of this script is to be able to retrieve the current certificate expiry of all your ESXi hosts, which was not easy to do in the past as described in this article here.

Here is a sample output for an environment that is using VMCA based certificate:


Here is a sample output for an environment that is going through a custom certificate conversion:

More from my site

  • Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 
  • Automating certificate-manager CLI operations in vCenter Server (VCSA)
  • Listing all Events for vCenter Server
  • VMware PowerCLI for Mac OS X, Linux & More? Yes, please!
  • How to easily disable vMotion & Cross vCenter vMotion for a particular Virtual Machine?

Categories // Automation, ESXi, VCSA, vSphere Tags // expiry, PowerCLI, ssl certificate, TLS, VMCA, VMware Certificate Authority, vSphere

Comments

  1. *protectedChidanand says

    09/24/2021 at 3:53 am

    hi William,
    I am getting the below error when i run this

    Get-View : Cannot validate argument on parameter 'VIObject'. The argument is null or empty. Provide an argument that is not null or empty, and then try the
    command again.
    At C:\Get-VSphereCertificateDetails.ps1:34 char:33
    + ... rtConfig = (Get-View $vmhost.ConfigManager.CertificateManager).Certif ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Get-View], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.DotNetInterop.GetVIView

    If you can help direct me I can check on it.

    Thanks.

    Reply
    • *protectedbla says

      12/13/2021 at 7:32 am

      does not work, creates empty output

      Reply
  2. *protectedPonKi says

    06/22/2022 at 12:26 am

    Hello, Is it possible to get details from esxi which are member of a thumbprint mode vCenter Server?

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...