You can use interfaces from the com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.kms.providers package to perform trust management operations.

You can list and update server certificates, retrieve, generate, and update client certificates, generate a CSR, and set the key server credential.

Prerequisites

  • Verify that you have access to a working vSphere Trust Authority environment.
  • Verify that you have Trusted Infrastructure administrative privileges.

Procedure

  1. List the remote server certificates on the configured key servers to verify the trusted key servers by calling the list_Task(java.lang.String cluster, java.lang.String provider, CurrentPeerCertificatesTypes.FilterSpec spec) method of the CurrentPeerCertificates interface.
  2. Retrieve the list of trusted server certificates by calling the get_Task(java.lang.String cluster, java.lang.String provider) method of the TrustedPeerCertificates interface.
  3. Update the trusted server certificates by calling the update_Task(java.lang.String cluster, java.lang.String provider, TrustedPeerCertificatesTypes.UpdateSpec spec) method of the TrustedPeerCertificates interface.
    Note:

    This operation overwrites the existing list of trusted certificates.

  4. Retrieve the existing client certificate by calling the get_Task(java.lang.String cluster, java.lang.String provider) method of the ClientCertificate interface.

    If the operation is successful, you receive the client certificate in PEM format.

  5. Generate a new self-signed client certificate, used to establish a secure connection to the key server by calling the create_Task(java.lang.String cluster, java.lang.String provider) method of the ClientCertificate interface.
    Note:

    This operation overwrites the existing client certificate.

    If the operation is successful, you can provide the newly generated self-signed client certificate to the key server to establish trust with the Key Provider.

  6. Update the client certificate to specify what Key Provider should use to authenticate with the key server by calling the update_Task(java.lang.String cluster, java.lang.String provider, ClientCertificateTypes.UpdateSpec spec) method of the ClientCertificate interface.
    Note:

    If a client certificate exists, this operation overwrites it.

  7. Generate a certificate signing request (CSR) for the client certificate by calling the create_Task(java.lang.String cluster, java.lang.String provider) method of the ClientCertificate interface.
    Note:

    If a CSR exists, this operation overwrites it.

    If the operation is successful, you receive the client CSR in PEM format and the host ID which issued it. The generated CSR can later be signed by a third party. The signed CSR should be replicated and set on each host.

  8. Set the key server credential for key servers that require a password by calling the set_Task(java.lang.String cluster, java.lang.String provider, char[] credential) method of the Credential interface.