Skip to content

ESX Certificate Management

This section provides information on how to use the PowerShell module for VMware Cloud Foundation Certificate Management to manage ESX host certificates across your VMware Cloud Foundation instance.

Set the ESX Certificate Mode in vCenter

The Set-EsxiCertificateMode cmdlet sets the certificate management mode in vCenter for the ESX hosts in a workload domain.

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $mode = "custom"
    
  3. Set the ESX certificate management mode in vCenter by running the command in the PowerShell console.

    Set-EsxiCertificateMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -mode $mode
    

Request a Certificate Signing Request

The Request-VcfCsr cmdlet will generate the Certificate Signing Request for ESX host(s) and saves it to file(s) in an output directory.

Request Certificate Signing Request for each ESX Host in a Cluster

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $cluster = "sfo-m01-cl01"
    
    $country = "US"
    $locality = "San Francisco"
    $organization = "Rainpole"
    $organizationUnit = "Platform Engineering"
    $stateOrProvince = "CA"
    
    $outputDirectory = "F:\CSR\"
    
  3. Request Certificate Signing Request files by running the command in the PowerShell console.

    Request-VcfCsr -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -Country $country -Locality $location -Organization $organization -OrganizationUnit $organizationUnit -StateOrProvince $stateOrProvince -outputDirectory $outputDirectory
    

Request a Certificate Signing Request for an ESX Host

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $esxiFqdn = 'sfo01-m01-esx01.sfo.rainpole.io'
    
    $country = "US"
    $locality = "San Francisco"
    $organization = "Rainpole"
    $organizationUnit = "Platform Engineering"
    $stateOrProvince = "CA"
    
    $outputDirectory = "F:\CSR\"
    
  3. Request a Certificate Signing Request file by running the command in the PowerShell console.

    Request-VcfCsr -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -esxiFqdn $esxiFqdn -Country $country -Locality $locality -Organization $organization -OrganizationUnit $organizationUnit -StateOrProvince $stateOrProvince -outputDirectory $outputDirectory
    

Verify the Certificate Authority is Trusted in vCenter

The Confirm-CAInvCenterServer cmdlet gets the thumbprint from the root certificate and matches it with the CA thumbprint from the vCenter instance. You need to pass in the complete path for the certificate file. Returns true if thumbprint matches, else returns false.

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $issuer = "rainpole"
    
    $signedCertificate = "F:\Certificates\Root64.cer"
    
  3. Verify the Certificate Authority is trusted in vCenter by running the command in the PowerShell console.

    Confirm-CAInvCenterServer -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -issuer $issuer -signedCertificate $signedCertificate
    

Set the Lockdown Mode for ESX Hosts

The Set-EsxiLockdownMode cmdlet sets the lockdown mode for all ESX hosts in a given cluster.

Disable Lockdown Mode for Each ESX Host in a Cluster

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $cluster = "sfo-m01-cl01"
    
  3. Set the lockdown mode to disable by running the command in the PowerShell console.

    Set-EsxiLockdownMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -disable
    

Enable Lockdown Mode for Each ESX Host in a Cluster

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $cluster = "sfo-m01-cl01"
    
  3. Set the lockdown mode to enable by running the command in the PowerShell console.

    Set-EsxiLockdownMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -enable
    

Get the vSAN Health Summary from vCenter for a Cluster

The Get-vSANHealthSummary cmdlet gets the vSAN health summary from vCenter for a cluster. If any status is YELLOW or RED, a WARNING or ERROR will be raised.

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $cluster = "sfo-m01-cl01"
    
  3. Get the vSAN health summary from vCenter for a cluster by running the command in the PowerShell console.

    Get-vSANHealthSummary -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster
    

Run the checks required for ESX Certificate Management for a Cluster

The Test-EsxiCertMgmtChecks cmdlet runs the checks required for ESX Certificate Management for a given cluster or an ESX host. The following checks are run:

  • Check ESX Certificate Mode
  • Check ESX Lockdown Mode
  • Confirm CA In vCenter
  • Check vSAN Health Status

  • Start PowerShell (Run as Administrator).

  • Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $cluster = "sfo-m01-cl01"
    
    $issuer = "rainpole"
    
    $signedCertificate = "F:\Certificates\Root64.cer"
    
  • Run the checks required for ESX Certificate management for a cluster by running the command in the PowerShell console.

    Test-EsxiCertMgmtChecks -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -signedCertificate $signedCertificate -issuer $issuer
    

Install a Certificate

The Install-VcfCertificate cmdlet will replace the certificate for an ESX host or for each ESX host in a cluster. You must provide the directory containing the signed certificate files. Certificate names should be in format .cer (e.g., sfo01-m01-esx01.sfo.rainpole.io.cer.) The workflow will put the ESX host in maintenance mode (with full data migration for vSAN only), disconnect the ESX host from the vCenter, replace the certificate, restart the ESX host, and the exit maintenance mode once the ESX host is online.

Install a Certificate to Each ESX Host in a Cluster

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $cluster = "sfo-m01-cl01"
    
    $certificateDirectory = 'F:\Certificates'
    
    $certificateFileExt = ".cer"
    
  3. Install a Certificate for each ESX host in cluster by running the command in the PowerShell console.

    Install-VcfCertificate -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -certificateDirectory $certificateDirectory -certificateFileExt $certificateFileExt
    

Install a Certificate to an ESX Host

  1. Start PowerShell (Run as Administrator).

  2. Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

    Example:

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "admin@local"
    $sddcManagerPass = "VMw@re1!VMw@re1!"
    
    $workloadDomain = "sfo-m01"
    
    $esxiFqdn = 'sfo01-m01-esx01.sfo.rainpole.io'
    
    $certificateDirectory = 'F:\Certificates'
    
    $certificateFileExt = ".cer"
    
  3. Install a certificate to an ESX host by running the command in the PowerShell console.

    Install-VcfCertificate -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -esxiFqdn $esxiFqdn -certificateDirectory $certificateDirectory -certificateFileExt $certificateFileExt