You can export a TPM endorsement key (EK) certificate from an ESXi host, and import it to the vSphere Trust Authority Cluster. You do so when you want to trust an individual ESXi host in the Trusted Cluster.

To import a TPM EK certificate into the Trust Authority Cluster, you must change the Trust Authority Cluster's default attestation type to accept EK certificates. The default attestation type accepts TPM Certificate Authority (CA) certificates. Some TPMs do not include EK certificates. If you want to trust individual ESXi hosts, the TPM must include an EK certificate.

Note: Store the exported EK certificate files in a secure location, in case you must restore the vSphere Trust Authority configuration.

Procedure

  1. Ensure that you are connected as the Trust Authority administrator to the vCenter Server of the Trust Authority Cluster.
    For example, you can enter $global:defaultviservers to show all the connected servers.
  2. (Optional) If necessary, you can run the following commands to ensure that you are connected to the vCenter Server of the Trust Authority Cluster.
    Disconnect-VIServer -server * -Confirm:$false
    Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
  3. To change the Trust Authority Cluster's attestation type:
    1. Run the Get-TrustAuthorityCluster cmdlet to show the clusters managed by this vCenter Server.
      Get-TrustAuthorityCluster
      The clusters are displayed.
    2. Assign the Get-TrustAuthorityCluster information to a variable.
      For example, this command assigns the cluster named vTA Cluster to the variable $vTA.
      $vTA = Get-TrustAuthorityCluster 'vTA Cluster'
    3. Assign the Get-TrustAuthorityTpm2AttestationSettings information to a variable.
      For example, this command assigns the information to the variable $tpm2Settings.
      $tpm2Settings = Get-TrustAuthorityTpm2AttestationSettings -TrustAuthorityCluster $vTA
    4. Run the Set-TrustAuthorityTpm2AttestationSettings cmdlet, specifying RequireEndorsementKey, or RequireCertificateValidation, or both.
      For example, this command specifies RequireEndorsementKey.
      Set-TrustAuthorityTpm2AttestationSettings -Tpm2AttestationSettings $tpm2Settings -RequireEndorsementKey
      The system responds with a confirmation prompt similar to the following.
      Confirmation
      Configure the Tpm2AttestationSettings 'TrustAuthorityTpm2AttestationSettings-domain-c8' with the following parameters:
       RequireCertificateValidation: False
       RequireEndorsementKey: True
      [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
    5. At the confirmation prompt, press Enter. (The default is Y.)
      The output shows a status of True for the setting specified. For example, this status shows True for Require Endorsement Key, and False for Require Certificate Validation.
      Name                                     RequireEndorsementKey          RequireCertificateValidation   Health
      ----                                     ---------------------          ----------------------------   ------
      TrustAuthorityTpm2AttestationSettings... True                           False                          Ok
  4. To export the TPM EK certificate:
    1. Disconnect from the vCenter Server of the Trust Authority Cluster.
      Disconnect-VIServer -server * -Confirm:$false
      
    2. Run the Connect-VIServer cmdlet to connect as the root user to one of the ESXi hosts in the Trusted Cluster.
      Connect-VIServer -server host_ip_address -User root -Password 'password'
    3. Run the Get-VMHost cmdlet to confirm the ESXi host.
      Get-VMHost
      The host information is displayed.
    4. Assign Get-VMHost to a variable.
      For example:
      $vmhost = Get-VMHost
    5. Run the Export-Tpm2EndorsementKey cmdlet to export the EK certificate of the ESXi host.
      For example, this command exports the EK certificate to the tpm2ek.json file.
      Export-Tpm2EndorsementKey -VMHost $vmhost -FilePath C:\vta\tpm2ek.json
      The file is created.
  5. To import the TPM EK:
    1. Disconnect from the ESXi host in the Trusted Cluster.
      Disconnect-VIServer -server * -Confirm:$false
      
    2. Connect to the vCenter Server of the Trust Authority Cluster using the Trust Authority administrator user.
      Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
    3. Run the Get-TrustAuthorityCluster cmdlet.
      Get-TrustAuthorityCluster
      The clusters in the Trust Authority Cluster are displayed.
    4. Assign the Get-TrustAuthorityCluster 'cluster' information to a variable.
      For example, this command assigns the information for cluster vTA Cluster to the variable $vTA.
      $vTA = Get-TrustAuthorityCluster ‘vTA Cluster’
    5. Run the New-TrustAuthorityTpm2EndorsementKey cmdlet.
      For example, this command uses the tpm2ek.json file previously exported in Step 4.
      New-TrustAuthorityTpm2EndorsementKey -TrustAuthorityCluster $vTA -FilePath C:\vta\tpm2ek.json
      The imported endorsement key information is displayed.

Results

The Trust Authority Cluster's attestation type is changed to accept EK certificates. The EK certificate is exported from the Trusted Cluster and imported to the Trust Authority Cluster.

Example: Export and Import a TPM EK Certificate

This example shows how to use PowerCLI to change the Trust Authority Cluster's default attestation type to accept EK certificates, export the TPM EK certificate from the ESXi host in the Trusted Cluster, and import it to the Trust Authority Cluster. The following table shows the example components and values that are used.

Table 1. Example vSphere Trust Authority Setup
Component Value
vCenter Server for Trust Authority Cluster 192.168.210.22
Variable $vTA Get-TrustAuthorityCluster 'vTA Cluster'
Variable $tpm2Settings Get-TrustAuthorityTpm2AttestationSettings -TrustAuthorityCluster $vTA
Variable $vmhost Get-VMHost
ESXi host in Trusted Cluster 192.168.110.51
Trust Authority administrator trustedadmin@vsphere.local
Local directory to contain output file C:\vta
PS C:\Users\Administrator> Connect-VIServer -server 192.168.210.22 -User trustedadmin@vsphere.local -Password 'VMware1!'

Name                           Port  User
----                           ----  ----
192.168.210.22                 443   VSPHERE.LOCAL\TrustedAdmin

PS C:\Users\Administrator> Get-TrustAuthorityCluster

Name                 State                Id
----                 -----                --
vTA Cluster          Enabled              TrustAuthorityCluster-domain-c8

PS C:\Users\Administrator> $vTA = Get-TrustAuthorityCluster 'vTA Cluster'

PS C:\Users\Administrator> $tpm2Settings = Get-TrustAuthorityTpm2AttestationSettings -TrustAuthorityCluster $vTA

PS C:\Users\Administrator> Set-TrustAuthorityTpm2AttestationSettings -Tpm2AttestationSettings $tpm2Settings -RequireEndorsementKey

Confirmation
Configure the Tpm2AttestationSettings 'TrustAuthorityTpm2AttestationSettings-domain-c8' with the following parameters:
 RequireCertificateValidation: False
 RequireEndorsementKey: True
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

Name                                     RequireEndorsementKey          RequireCertificateValidation   Health
----                                     ---------------------          ----------------------------   ------
TrustAuthorityTpm2AttestationSettings... True                           False                          Ok

PS C:\Users\Administrator> Disconnect-VIServer -server * -Confirm:$false
PS C:\Users\Administrator> Connect-VIServer -server 192.168.110.51 -User root -Password 'VMware1!'

Name                           Port  User
----                           ----  ----
192.168.110.51                 443   root

PS C:\Users\Administrator> Get-VMHost

Name                 ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz   MemoryUsageGB   MemoryTotalGB Version
----                 --------------- ---------- ------ ----------- -----------   -------------   ------------- -------
192.168.110.51       Connected       PoweredOn       4          55        9576           1.230           7.999   7.0.0

PS C:\Users\Administrator> $vmhost = Get-VMHost
PS C:\Users\Administrator> Export-Tpm2EndorsementKey -VMHost $vmhost -FilePath C:\vta\tpm2ek.json

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        12/3/2019  10:16 PM           2391 tpm2ek.json

PS C:\Users\Administrator> Disconnect-VIServer -server * -Confirm:$false
PS C:\Users\Administrator> Connect-VIServer -server 192.168.210.22 -User trustedadmin@vsphere.local -Password 'VMware1!'

Name                           Port  User
----                           ----  ----
192.168.210.22                 443   VSPHERE.LOCAL\TrustedAdmin

PS C:\Users\Administrator> Get-TrustAuthorityCluster

Name                 State                Id
----                 -----                --
vTA Cluster          Enabled              TrustAuthorityCluster-domain-c8

PS C:\Users\Administrator> $vTA = Get-TrustAuthorityCluster ‘vTA Cluster’
PS C:\Users\Administrator> New-TrustAuthorityTpm2EndorsementKey -TrustAuthorityCluster $vTA -FilePath C:\vta\tpm2ek.json

TrustAuthorityClusterId                  Name                                     Health
-----------------------                  ----                                     ------
TrustAuthorityCluster-domain-c8          1a520e42-4db8-1cbb-6dd7-f493fd921ccb     Ok

What to do next

Continue with Import the Trusted Host Information to the Trust Authority Cluster.