ESXi hosts deployed with a custom CA signed TLS certificate can be consumed by either VMware Cloud Foundation (VCF) 5.x Cloud Builder or 9.x VCF Installer using a custom JSON deployment manifest.
An additional securitySpec should be appended to your VCF JSON deployment manifest using the following format:
"securitySpec": {
"esxiCertsMode": "Custom",
"rootCaCerts": [
{
"alias": "custom-CA",
"certChain": [
"-----BEGIN CERTIFICATE-----\nMIIDqzC...\n...\n...==\n-----END CERTIFICATE-----"
]
}
]
}
Here is an abbreviated example VCF 5.x deployment spec
{
"managementPoolName": "vcf-m01-np01",
"sddcManagerSpec": {
"secondUserCredentials": {
"username": "vcf",
"password": "FILL_ME_IN"
},
"ipAddress": "FILL_ME_IN",
"hostname": "sddcm01",
"rootUserCredentials": {
"username": "root",
"password": "FILL_ME_IN"
},
"localUserPassword": "FILL_ME_IN"
},
"sddcId": "vcf-m01",
"taskName": "workflowconfig/workflowspec-ems.json",
"ntpServers": [
"ntp.org"
],
........
"securitySpec": {
"esxiCertsMode": "Custom",
"rootCaCerts": [
{
"alias": "custom-CA",
"certChain": [
"-----BEGIN CERTIFICATE-----\nMIIDqzC...\n...\n...==\n-----END CERTIFICATE-----"
]
}
]
}
}
Here is an abbreviated example VCF 9.x deployment spec
{
"sddcId": "vcf-m01",
"vcfInstanceName": "William Lam's VCF 9 Instance",
"workflowType": "VCF",
"version": "9.0.0.0",
........
"securitySpec": {
"esxiCertsMode": "Custom",
"rootCaCerts": [
{
"alias": "custom-CA",
"certChain": [
"-----BEGIN CERTIFICATE-----\nMIIDqzC...\n...\n...==\n-----END CERTIFICATE-----"
]
}
]
}
}
To assist with generating the single string for the certChain property given your certificate files, you can use this quick AWK command:
awk 'NF {sub(/\r/, ""); printf "%s\\n", $0;}' mycert.pem
Thanks for the comment!