Upload the Certificate and Private Key to Establish a Trusted Key Provider Trusted Connection

Some key server (KMS) vendors require that you configure the trusted key provider with the client certificate and private key provided by the key server. After you configure the trusted key provider, the key server accepts traffic from the trusted key provider.

Prerequisites

Enable the Trust Authority Administrator.
Enable the Trust Authority State.
Collect Information About ESXi Hosts and vCenter Server to Be Trusted.
Import the Trusted Host Information to the Trust Authority Cluster.
Create the Key Provider on the Trust Authority Cluster.
Request a certificate and private key in PEM format from the key server vendor. If the certificate is returned in a format other than PEM, convert it to PEM. If the private key is protected with a password, create a PEM file with the password removed. You can use the openssl command for both operations. For example:
- To convert a certificate from CRT to PEM format:
```
openssl x509 -in clientcert.crt -out clientcert.pem -outform PEM
```
- To convert a certificate from DER to PEM format:
```
openssl x509 -inform DER -in clientcert.der -out clientcert.pem
```
- To remove the password from a private key:
```
openssl rsa -in key.pem -out keynopassword.pem
Enter pass phrase for key.pem:
writing RSA key
```

Procedure

Ensure that you are connected to the vCenter Server of the Trust Authority Cluster. For example, you can enter $global:defaultviservers to show all the connected servers.

(Optional) If necessary, you can run the following commands to ensure that you are connected to the vCenter Server of the Trust Authority Cluster.

Disconnect-VIServer -server * -Confirm:$false
Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'

Assign the Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA information to a variable.
For example:
```
$kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA
```
If you are following these tasks in order, you previously assigned Get-TrustAuthorityCluster information to a variable (for example, $vTA = Get-TrustAuthorityCluster 'vTA Cluster').
The $kp variable obtains the trusted key providers in the given Trust Authority Cluster, in this case, $vTA.
Note: If you have more than one trusted key provider, use commands similar to the following to select the one you want:
```
Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA
<The trusted key providers listing is displayed.>
$kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA | Select-Object -Last 1
```
Using Select-Object -Last 1 selects the last trusted key provider in the list.

Upload the certificate and private key using the Set-TrustAuthorityKeyProviderClientCertificate command.

For example:

Set-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp -CertificateFilePath <path/to/certfile.pem> -PrivateKeyFilePath <path/to/privatekey.pem>

Results

The trusted key provider has established trust with the key server.