ESX Certificate Management¶
This section provides information on how to use the PowerShell module for VMware Cloud Foundation Certificate Management to manage ESX host certificates across your VMware Cloud Foundation instance.
Set the ESX Certificate Mode in vCenter¶
The Set-EsxiCertificateMode
cmdlet sets the certificate management mode in vCenter for the ESX hosts in a workload domain.
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $mode = "custom"
-
Set the ESX certificate management mode in vCenter by running the command in the PowerShell console.
Set-EsxiCertificateMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -mode $mode
Request a Certificate Signing Request¶
The Request-VcfCsr
cmdlet will generate the Certificate Signing Request for ESX host(s) and saves it to file(s) in an output directory.
Request Certificate Signing Request for each ESX Host in a Cluster¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $cluster = "sfo-m01-cl01" $country = "US" $locality = "San Francisco" $organization = "Rainpole" $organizationUnit = "Platform Engineering" $stateOrProvince = "CA" $outputDirectory = "F:\CSR\"
-
Request Certificate Signing Request files by running the command in the PowerShell console.
Request-VcfCsr -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -Country $country -Locality $location -Organization $organization -OrganizationUnit $organizationUnit -StateOrProvince $stateOrProvince -outputDirectory $outputDirectory
Request a Certificate Signing Request for an ESX Host¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $esxiFqdn = 'sfo01-m01-esx01.sfo.rainpole.io' $country = "US" $locality = "San Francisco" $organization = "Rainpole" $organizationUnit = "Platform Engineering" $stateOrProvince = "CA" $outputDirectory = "F:\CSR\"
-
Request a Certificate Signing Request file by running the command in the PowerShell console.
Request-VcfCsr -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -esxiFqdn $esxiFqdn -Country $country -Locality $locality -Organization $organization -OrganizationUnit $organizationUnit -StateOrProvince $stateOrProvince -outputDirectory $outputDirectory
Verify the Certificate Authority is Trusted in vCenter¶
The Confirm-CAInvCenterServer
cmdlet gets the thumbprint from the root certificate and matches it with the CA thumbprint from the vCenter instance. You need to pass in the complete path for the certificate file. Returns true if thumbprint matches, else returns false.
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $issuer = "rainpole" $signedCertificate = "F:\Certificates\Root64.cer"
-
Verify the Certificate Authority is trusted in vCenter by running the command in the PowerShell console.
Confirm-CAInvCenterServer -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -issuer $issuer -signedCertificate $signedCertificate
Set the Lockdown Mode for ESX Hosts¶
The Set-EsxiLockdownMode
cmdlet sets the lockdown mode for all ESX hosts in a given cluster.
Disable Lockdown Mode for Each ESX Host in a Cluster¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $cluster = "sfo-m01-cl01"
-
Set the lockdown mode to
disable
by running the command in the PowerShell console.Set-EsxiLockdownMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -disable
Enable Lockdown Mode for Each ESX Host in a Cluster¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $cluster = "sfo-m01-cl01"
-
Set the lockdown mode to
enable
by running the command in the PowerShell console.Set-EsxiLockdownMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -enable
Get the vSAN Health Summary from vCenter for a Cluster¶
The Get-vSANHealthSummary
cmdlet gets the vSAN health summary from vCenter for a cluster. If any status is YELLOW or RED, a WARNING or ERROR will be raised.
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $cluster = "sfo-m01-cl01"
-
Get the vSAN health summary from vCenter for a cluster by running the command in the PowerShell console.
Get-vSANHealthSummary -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster
Run the checks required for ESX Certificate Management for a Cluster¶
The Test-EsxiCertMgmtChecks
cmdlet runs the checks required for ESX Certificate Management for a given cluster or an ESX host.
The following checks are run:
- Check ESX Certificate Mode
- Check ESX Lockdown Mode
- Confirm CA In vCenter
-
Check vSAN Health Status
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $cluster = "sfo-m01-cl01" $issuer = "rainpole" $signedCertificate = "F:\Certificates\Root64.cer"
-
Run the checks required for ESX Certificate management for a cluster by running the command in the PowerShell console.
Test-EsxiCertMgmtChecks -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -signedCertificate $signedCertificate -issuer $issuer
Install a Certificate¶
The Install-VcfCertificate
cmdlet will replace the certificate for an ESX host or for each ESX host in a cluster. You must provide the directory containing the signed certificate files. Certificate names should be in format
Install a Certificate to Each ESX Host in a Cluster¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $cluster = "sfo-m01-cl01" $certificateDirectory = 'F:\Certificates' $certificateFileExt = ".cer"
-
Install a Certificate for each ESX host in cluster by running the command in the PowerShell console.
Install-VcfCertificate -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -certificateDirectory $certificateDirectory -certificateFileExt $certificateFileExt
Install a Certificate to an ESX Host¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $esxiFqdn = 'sfo01-m01-esx01.sfo.rainpole.io' $certificateDirectory = 'F:\Certificates' $certificateFileExt = ".cer"
-
Install a certificate to an ESX host by running the command in the PowerShell console.
Install-VcfCertificate -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -esxiFqdn $esxiFqdn -certificateDirectory $certificateDirectory -certificateFileExt $certificateFileExt