WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple

Automating certificate-manager CLI operations in vCenter Server (VCSA)

02.07.2024 by William Lam // 3 Comments

I recently had a customer inquiry where they were interested in automating the certificate replacement for vCenter Solution Users when using the /usr/lib/vmware-vmca/bin/certificate-manager CLI, which is found within the vCenter Server Appliance (VCSA).


Note: One important thing to understand is that with vSphere 7.0, the vCenter Solution User certificates have been deprecated and the ability to replace the internal certificates will be removed in a future release as mentioned in the referenced vSphere blog post.

VMware does not recommend replacing the internal vCenter Solution User certificates, but for users who may have an organization requirement to do so, the operation is performed interactively using the certificate-manager CLI as mentioned earlier.

By design, the certificate-manager is meant to be consumed interactively and any non-interactive or automated use cases is not possible ...

[Read more...]

Categories // Automation, VCSA Tags // vCenter Server, VCSA, VMCA, VMware Certificate Authority

Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

10.23.2018 by William Lam // 3 Comments

Customers have two primary methods of managing TLS certificates for their ESXi hosts, they can either use the built-in VMware Certificate Authority (VMCA) which is part of vCenter Server or Custom CA Certificates. I will not go into the gory details, but you can read more about the options here in our documentation.

A question that I had received recently was whether you can determine the type of certificate an ESXi host was provisioned with and whether this could be programmatically retrieved using the vSphere API? The answer is yes. In vSphere 6.0, we introduced a CertificateInfo property which contains a number of fields including status, issuer, expiry and subject details and by inspecting either the issuer or subject property, you can determine the type of certificate on the ESXi host.

Here is a screenshot of the data using the vSphere MOB for an ESXi host that has VMCA-based certificate:


Here is a screenshot of the data using the vSphere MOB for an ESXi host that has custom CA certificate:


As you can see, for VMCA-based certificate the issuer's OU will have value of "VMware Engineering" and subject's emailAddress will have value of "*protected email*".

[Read more...]

Categories // Automation, ESXi, VCSA, vSphere Tags // expiry, PowerCLI, ssl certificate, TLS, VMCA, VMware Certificate Authority, vSphere

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...