In the vSphere UI, users can easily view and manage all of their vCenter Server certificates by navigating to Administration->Certificate->Certificate Management as shown in the screenshot below.
There are four types of vCenter Server certificates: Machine SSL, VMware Certificate Authority, STS Signing Certificate and the Trusted Root. On the main summary view, we can see the validity of the certificate, which is useful to quickly determine if you need to plan on replacing a specific certificate. We can also get more information about a specific certificate by clicking on the "View Details".
A question recently came up internally asking whether there is a vSphere API to retrieve all of this information programmatically, especially the validity of the certificate?
The answer is yes! All certificate management functionality in vCenter Server is also available using the vCenter REST API also referred to as vSphere Automation API. Below are the specific APIs for retrieving each type of certificate:
- Machine SSL Certificate
- VMware Certificate Authority & STS Signing Certificate
- Trusted Root
To demonstrate the certificate management API, I have created a quick PowerCLI function called Get-VCSACertificate that makes it super easy to retrieve either all or a specific certificate.
Step 1 - Download the Get-VCSACertificate.ps1 to your local system
Step 2 - Source the Get-VCSACertificate.ps1 file which contains the PowerCLI Get-VCSACertificate function by running the following command:
. ./Get-VCSACertificate.ps1
Step 3 - Connect to vCenter Server using the Connect-CisServer cmdlet since we are interacting with the vCenter REST API
Connect-CisServer -Server vc.primp-industries.local -User administrator[at]vsphere[dot]local -Password VMware1!
Step 4 - Run the Get-VCSACertificate function without any arguments to retrieve all vCenter Server certificates:
Get-VCSACertificate
You can also filter for a specific certificate type by using the -Type argument which supports the following values: MACHINE, VMCA_ROOT, STS and TRUSTED_ROOT which you can see some examples below:
Get-VCSACertificate -Type STS
Get-VCSACertificate -Type VMCA_ROOT
When is VMware going to support the ACME for automated 3rd party CA renewals? With Google pushing 30 day SSL lifetimes this is imperative.
Is there any news about the vCert tool from GSS?
Is it possible to retrieve the Solution User certificates using the REST API?
No, since they've been deprecated since 7.x https://blogs.vmware.com/vsphere/2020/04/vsphere-7-certificate-management.html
Please tell me, when I run the Get-VCSA Certificate.ps1 script, it will appear [System.Security.Cryptography.X509Certificates.X509Certificate2] does not contain a method named 'CreateFromPem'.
Same here, tried from Windows PowerCLI and also from a Linux box, no luck!
I have the same problem, X509Certificate2 does not contain a method name CreateFromPem.
I tried $Cert2Type:: and tab, and only shows:
CreateFromCertFile
CreateFromSignedFile
Equals
GetCertContentType
new
ReferenceEquals
I think the problem is I'm using Powershell ISE and it only works until PowerShell V5.1. I tried in a simple PowerShell 7 windows and I have all the method, I will migrate to Visual Studio Code from ISE.
You can adjust the script like this (to use a temporary file)
$env:TMP='c:\temp'
foreach ($signingCert in $signingCerts) {
$signingCert | Set-content $env:TMP\cert.crt
$cert = $xCert2Type::CreateFromCertFile("$env:TMP\cert.crt") -as $xCert2Type
BR, Alek
I'm trying to figure out how to make this work with a user that is not admin. I hope there is a group I can add my report account to but no luck so far.
Hi William, i am facing the problem that i have expired STS certs on a vcenter 6.0.xx on windows and the standard cert manager is alsways failing to do so. is there any chance that i can replace the sts certs by hand. or can you maybe help me with this ? of course not for free .....
thanks for a feedback anyway .....
The function return me 7 STS certs while my vcenter use only one from that seven which I need to check for date validity - not very usefull ... 🙁
You might want to do some research and learn how to filter results, as thats a very important concept when doing automation 🙂
I cannot agree:
From information get by function - no way to check what certificate is really used as STS for vcenter, only if you know its serial, but it can change in future certs upgrades so I cannot build universal check script on that ...
For VMCA_ROOT function return me 9 certs and none of them is the one I see in vcenter GUI (checked by serial and date)
I didn't cheked TRUSTED_ROOT as its obvious that I cannot rely on that approach ...
We have 20+ vcenetrs some of them are in ELM for many years so each one have dozens certs of alll that types. May be in fresh small environments that funcition can be used for automation expirity check but in mine: big, complicated with log history it's not useful (while here such check is high in demand 🙂
In any way - thanks for your work, and it is not your fail but Vmware/Broadcom which flooded system with certs and not provided programming interface for automation check of their expirity.
I'm not even touching the topic of the stupid situation when you cannot use vcenters certs alerts because you store full of old unused always false alarming expired certs which can be removed only by long procedure of manual commands fnished by vcenter restart (also take in mind that prior you should make cold snapshots on al involved ELM vcenters and in case of roback - you need to rollbacl all vcenyters 🙂