Configure Trusted TPMs of Attested ESXi Hosts on a Cluster Level

You can use HTTP requests to manage remote attestation configuration for TPM trust.

You can add, list, remove, and retrieve details about TPM CA certificates and TPM endorsement keys. You can also set and retrieve TPM 2.0 attestation settings. Some operations require you to specify parameters in the body of the HTTP request according to your vSphere Trust Authority environment. For details about the syntax of each HTTP request body, see the API Reference documentation.

Prerequisites

Verify that you have access to a working vSphere Trust Authority environment.
Verify that you have Trusted Infrastructure administrative privileges.

Procedure

Add a new TPM CA certificate to a Trusted Cluster to specify a trusted platform OEM.
```
POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates?vmw-task=true
```
You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
```
GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
```
Retrieve a list of configured TPM CA certificates on a Trusted Cluster to identify the trusted platform OEMs.
```
GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates?vmw-task=true
```
You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
```
GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
```
Remove a TPM CA certificate from a Trusted Cluster because a platform OEM is no longer trusted.
```
DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates/<name>?vmw-task=true
```
You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
```
GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
```
Retrieve details about a specific TPM CA certificate on a Trusted Cluster to get more information about the trusted platform OEM.
```
GET https://<vcenter_ip_address_or_fqdn>//api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/ca-certificates/<name>?vmw-task=true
```
You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
```
GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
```

Add a new TPM endorsement key to a Trusted Cluster to specify a trusted ESXi host.

POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys?vmw-task=true

You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>

Retrieve a list of configured TPM endorsement keys in a Trusted Cluster to identify the trusted ESXi hosts.
```
GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys?vmw-task=true
```
You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
```
GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
```

Remove a TPM endorsement key from a Trusted Cluster because an ESXi host is no longer trusted.

DELETE https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys/<name>?vmw-task=true

You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>

Retrieve details about a specific TPM endorsement key on a Trusted Cluster to get more information about the trusted ESXi host.
```
GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/endorsement-keys/<name>?vmw-task=true
```
You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
```
GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
```
Set the TPM 2.0 attestation settings by specifying that TPM endorsement keys on a Trusted Cluster do not need to be signed because the trusted OEM does not sign endorsement keys.
```
PATCH https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/settings?vmw-task=true

{
    "require_endorsement_keys" : false,
    "require_certificate_validation" : true
}
```
You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.
```
GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
```

Determine the TPM 2.0 attestation settings in a Trusted Cluster.

GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/attestation/tpm2/settings?vmw-task=true

You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>