You can use HTTP requests to perform trust management operations.

You can list and update server certificates, retrieve, generate, and update client certificates, generate a CSR, and set the key server credential. Some operations require you to specify parameters in the body of the HTTP request according to your vSphere Trust Authority environment. For details about the syntax of each HTTP request body, see the API Reference documentation.

Prerequisites

  • Verify that you have access to a working vSphere Trust Authority environment.
  • Verify that you have Trusted Infrastructure administrative privileges.

Procedure

  1. List the remote server certificates on the configured key servers to verify the trusted key servers.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/current?server_names=<value-1>&server_names=<value-2>&trusted=<true>&vmw-task=true

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  2. Retrieve the list of trusted server certificates.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/trusted?vmw-task=true

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  3. Update the trusted server certificates.
    Note:

    This operation overwrites the existing list of trusted certificates.

    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/peer-certs/trusted?vmw-task=true

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  4. Retrieve the existing client certificate.
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=true

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>

    If the operation is successful, you receive the client certificate in PEM format.

  5. Generate a new self-signed client certificate, used to establish a secure connection to the key server.
    Note:

    This operation overwrites the existing client certificate.

    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=true

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>

    If the operation is successful, you can provide the newly generated self-signed client certificate to the key server to establish trust with the Key Provider.

  6. Update the client certificate to specify what Key Provider should use to authenticate with the key server.
    Note:

    If a client certificate exists, this operation overwrites it.

    PATCH https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate?vmw-task=true

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>
  7. Generate a certificate signing request (CSR) for the client certificate.
    Note:

    If a CSR exists, this operation overwrites it.

    POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/client-certificate/csr?vmw-task=true

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>

    If the operation is successful, you receive the client CSR in PEM format and the host ID which issued it. The generated CSR can later be signed by a third party. The signed CSR should be replicated and set on each host.

  8. Set the key server credential for key servers that require a password.
    PUT https://<vcenter_ip_address_or_fqdn>/api/vcenter/trusted-infrastructure/trust-authority-clusters/<cluster>/kms/providers/<provider>/credential?vmw-task=true
    
    "secret string"

    You receive the task ID in the response body. You can use the task ID to check the status of the task by running the following HTTP request.

    GET https://<vcenter_ip_address_or_fqdn>/api/cis/tasks/<task_ID>