WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

Retrieving vCenter Server certificate (Machine, VMCA Root, STS & Trusted Root) details using the vSphere API 

09.11.2023 by William Lam // 4 Comments

In the vSphere UI, users can easily view and manage all of their vCenter Server certificates by navigating to Administration->Certificate->Certificate Management as shown in the screenshot below.


There are four types of vCenter Server certificates: Machine SSL, VMware Certificate Authority, STS Signing Certificate and the Trusted Root. On the main summary view, we can see the validity of the certificate, which is useful to quickly determine if you need to plan on replacing a specific certificate. We can also get more information about a specific certificate by clicking on the "View Details".

A question recently came up internally asking whether there is a vSphere API to retrieve all of this information programmatically, especially the validity of the certificate?

The answer is yes! All certificate management functionality in vCenter Server is also available using the vCenter REST API also referred to as vSphere Automation API. Below are the specific APIs for retrieving each type of certificate:

  • Machine SSL Certificate
    • https://developer.vmware.com/apis/vsphere-automation/latest/vcenter/api/vcenter/certificate-management/vcenter/tls/get/
  • VMware Certificate Authority & STS Signing Certificate
    • https://developer.vmware.com/apis/vsphere-automation/latest/vcenter/api/vcenter/certificate-management/vcenter/signing-certificate/get/
  • Trusted Root
    • https://developer.vmware.com/apis/vsphere-automation/latest/vcenter/certificate_management/vcenter.trusted_root_chains/

To demonstrate the certificate management API, I have created a quick PowerCLI function called Get-VCSACertificate that makes it super easy to retrieve either all or a specific certificate.

Step 1 - Download the Get-VCSACertificate.ps1 to your local system

Step 2 - Source the Get-VCSACertificate.ps1 file which contains the PowerCLI Get-VCSACertificate function by running the following command:

. ./Get-VCSACertificate.ps1

Step 3 - Connect to vCenter Server using the Connect-CisServer cmdlet since we are interacting with the vCenter REST API

Connect-CisServer -Server vc.primp-industries.local -User administrator[at]vsphere[dot]local -Password VMware1!

Step 4 - Run the Get-VCSACertificate function without any arguments to retrieve all vCenter Server certificates:

Get-VCSACertificate


You can also filter for a specific certificate type by using the -Type argument which supports the following values: MACHINE, VMCA_ROOT, STS and TRUSTED_ROOT which you can see some examples below:

Get-VCSACertificate -Type STS
Get-VCSACertificate -Type VMCA_ROOT

More from my site

  • Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?
  • Automating Customer Experience Improvement Program (CEIP) configuration using vSphere API and PowerCLI
  • Instant Clone Microsoft Windows & VM Keystroke VMworld demo and code posted
  • Retrieving detailed per-VM space utilization on VSAN
  • Quick Tip - How do I tell if NSX-V or NSX-T is installed?

Categories // Automation, PowerCLI, vSphere Tags // PowerCLI, STS, TLS, VMCA, vSphere API

Comments

  1. *protectedJeff says

    09/11/2023 at 9:03 am

    When is VMware going to support the ACME for automated 3rd party CA renewals? With Google pushing 30 day SSL lifetimes this is imperative.

    Reply
  2. *protectedAnonymous says

    09/11/2023 at 12:18 pm

    Is there any news about the vCert tool from GSS?

    Reply
  3. *protectedHob says

    09/12/2023 at 8:35 pm

    Is it possible to retrieve the Solution User certificates using the REST API?

    Reply
    • William Lam says

      09/14/2023 at 7:53 am

      No, since they've been deprecated since 7.x https://blogs.vmware.com/vsphere/2020/04/vsphere-7-certificate-management.html

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC) across Private, Hybrid and Public Cloud

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • vSphere Code Capture is your ChatGPT for vSphere Automation 11/30/2023
  • ESXi 8.0 Update 2 not detecting Apple NVMe on Apple Mac Mini 2018 11/28/2023
  • Is there a vSphere REST API for ... 11/21/2023
  • Custom vSAN HCL JSON for VMware Cloud Foundation (VCF) 5.1 and vSAN ESA using Nested ESXi 11/20/2023
  • Heads Up - Performance Impact with VMware Workstation on Windows 11 with Intel Hybrid CPUs 11/19/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...