You can use the Certificate Management vCenter Trusted Root Chains interface to add, delete and read trusted root certificate chains.

If you want to use an enterprise or third-party certificate authority (CA) for certificate management of your vSphere environment, you must first establish trust with that CA. You can do this by adding the root certificate of the external CA to the trusted root store of your vCenter Server system.

Adding a root certificate or certificate chain to the vCenter Server trusted certificate store establishes trust with an enterprise or third-party certificate authority. You can add a root certificate to vCenter Server as a prerequisite for other scenarios such as setting a third-party or enterprise machine SSL certificate.

Prerequisites

  • Verify that you are connected to a vSphere Automation API server.

  • Verify that the root certificate or certificate chain you want to add is available on your machine.

  • Verify that you have the required privileges: CertificateManagement.Manage and CertificateManagement.Administer.

Procedure

  1. (Optional) Retrieve the root certificates on your vCenter Server system. 
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains
  2. Populate the TrustedRootChains.CreateSpec data structure.

    Parameter

    Type

    Description

    cert_chain

    String

    Certificate or certificate chain in base64 encoding. The input must be JSON string escaped for newline (\n).
  3. Add the certificate or certificate chain. 
    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/trusted-root-chains

    If the operation is successful, the system returns the unique identifier of the trusted root certificate you added.