The GUI Way<\/h3>\n\n\n\n
Now that we know which certificate replacement method we want to use, we’ll first explore how to complete this certificate replacement in the HTML5 UI. We’ll navigate to vSphere Client > Administration > Certificates > Certificate Management. From here we can see the existing Machine_Cert that is used, which expires in November 2023.<\/p>\n\n\n\n In this tile with our certificate detail, we see an Actions drop down, which contains choices to Renew, Import and Replace Certificate, and Generate Certificate Signing Request (CSR). When I do this in the HTML5 UI, it is typically two steps. First, I create a CSR, which prompts me to enter information about the certificate I’d like to request.<\/p>\n\n\n\n Once this is complete, I’m provided with a long string of text (the CSR) which I need to send to my certificate management \/ crypto folks for processing. They will return a certificate to me. You may have noticed I do not see the private key at any point during this process — this is because vCenter keeps this information private. Once I have my certificate, I can go back to the tile and provide the certificate files — the private key is already there. <\/p>\n\n\n\n It can take some time for services to restart, but I should have another year before I need to replace this certificate again.<\/p>\n\n\n\n This was very straight forward in the UI, the next steps will cover doing the same process using the vSphere API.<\/p>\n\n\n\n When browsing vSphere Client > Developer Center > API Explorer, I see two interesting headings under the As in the section where we discussed using the GUI, we now need to provide our CSR to the certificate management folks \/ crypto team. They are typically responsible for requesting\/creating certificates. Depending on the Certificate Authority in use, this step could also be automated, but it is outside the scope of this article. <\/p>\n\n\n\n Once we have our certificate, in my case a pair of After running that This article shows how similar the HTML5 UI is to these specific APIs for certificate replacement. I hope this helps you automate this repeatable task. <\/p>\n","protected":false},"excerpt":{"rendered":" Validity periods for SSL certificates keep shrinking, requiring more frequent certificate replacements. Something that once only needed done every 3 or so years is now required every year. With these increased demands it is common to want to automate this … Continue reading ![\"\"](\"https:\/\/enterpriseadmins.org\/blog\/wp-content\/uploads\/2023\/03\/image.png\")
<\/a>![\"\"](\"https:\/\/enterpriseadmins.org\/blog\/wp-content\/uploads\/2023\/03\/image-1.png\")
<\/a>![\"\"](\"https:\/\/enterpriseadmins.org\/blog\/wp-content\/uploads\/2023\/03\/image-2-1024x230.png\")
<\/a>![\"\"](\"https:\/\/enterpriseadmins.org\/blog\/wp-content\/uploads\/2023\/03\/image-3-1024x620.png\")
<\/a>![\"\"](\"https:\/\/enterpriseadmins.org\/blog\/wp-content\/uploads\/2023\/03\/image-4.png\")
<\/a>Automating the Certificate Signing Request<\/h3>\n\n\n\n
vcenter<\/code> API endpoint we can see an entry for certificate_management\/vcenter\/tls_csr<\/code>. The description states “Generates a CSR with the given Spec.” If we connect to the vSphere Automation SDK server with Connect-CisServer<\/code>, we can get this specific service and create the spec. From there, we can populate all the fields and then create our new CSR. Here is a code block showing all these steps with some dummy data.<\/p>\n\n\n\nConnect-CisServer vcenter.example.com\n$tlsCSR = Get-CisService -Name com.vmware.vcenter.certificate_management.vcenter.tls_csr\n$tlscsrSpec = $tlscsr.Help.create.spec.Create()\n\n$tlscsrSpec.key_size = 2048\n$tlscsrSpec.common_name = 'vcenter.example.com'\n$tlscsrSpec.organization = 'Example'\n$tlscsrSpec.organization_unit = 'Testing'\n$tlscsrSpec.locality = 'Greenfield'\n$tlscsrSpec.state_or_province = 'Indiana'\n$tlscsrSpec.country = 'US'\n$tlscsrSpec.email_address = 'vi-admin@example.com'\n$tlscsrSpec.subject_alt_name = \"vcenter\"\n\n$tlsCSR.create($tlscsrSpec).csr<\/code><\/pre>\n\n\n\nRequesting the Certificate<\/h3>\n\n\n\n
Replacing the Certificate<\/h3>\n\n\n\n
cer<\/code> files (one for my vCenter Server and one for the root cert of the CA), we can return to our PowerCLI window. I was able to quickly request\/approve a new certificate and my PowerCLI session was still open so I didn’t need to use Connect-CisServer<\/code> again, however you may need to reconnect days later, thats no problem and will work fine. I used Get-Content<\/code> to read in the two cer<\/code> files, but by default that reads line by line. Therefore, I used -join<\/code> to put each line into a single variable, and for good measure removed any leading\/trailing spaces with .trim()<\/code> as I’ve seen that cause issues with certificates in the past. I then used the certificate_management\/vcenter\/tls<\/code> service and created the sample specification. This results in a new object being created where cert<\/code> is required and the other properties (key<\/code> and root_cert<\/code>) are optional. For my case I specified just the cert<\/code> and root_cert<\/code> since my CSR was generated\/stored by the vCenter Server Appliance already.<\/p>\n\n\n\n$cert = ( (Get-Content .\\certnew-vcsa-api.cer) -join \"`n\").trim()\n$rootcert = ( (Get-Content .\\certnew-ca.cer) -join \"`n\").trim()\n\n$tls = Get-CisService -Name com.vmware.vcenter.certificate_management.vcenter.tls\n$setTls = $tls.Help.set.spec.Create()\n\n$setTls.cert = $cert\n$setTls.root_cert = $rootcert\n\n$tls.set($setTls)<\/code><\/pre>\n\n\n\n$tls.set<\/code> method on the last line of the code block above, vCenter services automatically restart, just like in the UI example.<\/p>\n\n\n\nConclusion<\/h3>\n\n\n\n