In the vSphere UI, users can easily view and manage all of their vCenter Server certificates by navigating to Administration->Certificate->Certificate Management as shown in the screenshot below.
There are four types of vCenter Server certificates: Machine SSL, VMware Certificate Authority, STS Signing Certificate and the Trusted Root. On the main summary view, we can see the validity of the certificate, which is useful to quickly determine if you need to plan on replacing a specific certificate. We can also get more information about a specific certificate by clicking on the "View Details".
A question recently came up internally asking whether there is a vSphere API to retrieve all of this information programmatically, especially the validity of the certificate?
The answer is yes! All certificate management functionality in vCenter Server is also available using the vCenter REST API also referred to as vSphere Automation API. Below are the specific APIs for retrieving each type of certificate:
- Machine SSL Certificate
- VMware Certificate Authority & STS Signing Certificate
- Trusted Root
To demonstrate the certificate management API, I have created a quick PowerCLI function called Get-VCSACertificate that makes it super easy to retrieve either all or a specific certificate.
Step 1 - Download the Get-VCSACertificate.ps1 to your local system
Step 2 - Source the Get-VCSACertificate.ps1 file which contains the PowerCLI Get-VCSACertificate function by running the following command:
Step 3 - Connect to vCenter Server using the Connect-CisServer cmdlet since we are interacting with the vCenter REST API
Connect-CisServer -Server vc.primp-industries.local -User administrator[at]vsphere[dot]local -Password VMware1!
Step 4 - Run the Get-VCSACertificate function without any arguments to retrieve all vCenter Server certificates:
Get-VCSACertificate -Type STS
Get-VCSACertificate -Type VMCA_ROOT