ESXi Certificate Management¶

This section provides information on how to use the PowerShell module for VMware Cloud Foundation Certificate Management to manage ESXi host certificates across your VMware Cloud Foundation instance.

Set the ESXi Certificate Mode in vCenter Server¶

The Set-EsxiCertificateMode cmdlet sets the certificate management mode in vCenter Server for the ESXi hosts in a workload domain.

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$mode = "custom"

Set the ESXi certificate management mode in vCenter Server by running the command in the PowerShell console.

Set-EsxiCertificateMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -mode $mode

Request a Certificate Signing Request¶

The Request-VCFCsr cmdlet will generate the Certificate Signing Request for ESXi host(s) and saves it to file(s) in an output directory.

Request Certificate Signing Request for each ESXi Host in a Cluster¶

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$cluster = "sfo-m01-cl01"
$country = "US"
$locality = "San Francisco"
$organization = "Rainpole"
$organizationUnit = "Platform Engineering"
$stateOrProvince = "CA"
$outputDirectory = "F:\CSR\"

Request Certificate Signing Request files by running the command in the PowerShell console.

Request-VCFCsr -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -Country $country -Locality $location -Organization $organization -OrganizationUnit $organizationUnit -StateOrProvince $stateOrProvince -outputDirectory $outputDirectory

Request a Certificate Signing Request for an ESXi Host¶

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$esxiFqdn = 'sfo01-m01-esx01.sfo.rainpole.io'
$country = "US"
$locality = "San Francisco"
$organization = "Rainpole"
$organizationUnit = "Platform Engineering"
$stateOrProvince = "CA"
$outputDirectory = "F:\CSR\"

Request a Certificate Signing Request file by running the command in the PowerShell console.

Request-VCFCsr -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -esxiFqdn $esxiFqdn -Country $country -Locality $locality -Organization $organization -OrganizationUnit $organizationUnit -StateOrProvince $stateOrProvince -outputDirectory $outputDirectory

Verify the Certificate Authority is Trusted in vCenter Server¶

The Confirm-CAInvCenterServer cmdlet gets the thumbprint from the root certificate and matches it with the CA thumbprint from the vCenter Server instance. You need to pass in the complete path for the certificate file. Returns true if thumbprint matches, else returns false.

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$issuer = "rainpole"
$signedCertificate = "F:\Certificates\Root64.cer"

Verify the Certificate Authority is trusted in vCenter server by running the command in the PowerShell console.

Confirm-CAInvCenterServer -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -issuer $issuer -signedCertificate $signedCertificate

Set the Lockdown Mode for ESXi Hosts¶

The Set-EsxiLockdownMode cmdlet sets the lockdown mode for all ESXi hosts in a given cluster.

Disable Lockdown Mode for Each ESXi Host in a Cluster¶

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$cluster = "sfo-m01-cl01"

Set the lockdown mode to disable by running the command in the PowerShell console.

Set-EsxiLockdownMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -disable

Enable Lockdown Mode for Each ESXi Host in a Cluster¶

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$cluster = "sfo-m01-cl01"

Set the lockdown mode to enable by running the command in the PowerShell console.

Set-EsxiLockdownMode -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -enable

Get the vSAN Health Summary from vCenter Server for a Cluster¶

The Get-vSANHealthSummary cmdlet gets the vSAN health summary from vCenter Server for a cluster. If any status is YELLOW or RED, a WARNING or ERROR will be raised.

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$cluster = "sfo-m01-cl01"

Get the vSAN health summary from vCenter server for a cluster by running the command in the PowerShell console.

Get-vSANHealthSummary -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster

Run the checks required for ESXi Certificate Management for a Cluster¶

The Test-EsxiCertMgmtChecks cmdlet runs the checks required for ESXi Certificate Management for a given cluster or an ESXi host. The following checks are run:

Check ESXi Certificate Mode
Check ESXi Lockdown Mode
Confirm CA In vCenter Server
Check vSAN Health Status
Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$cluster = "sfo-m01-cl01"
$issuer = "rainpole"
$signedCertificate = "F:\Certificates\Root64.cer"

Run the checks required for ESXi Certificate management for a cluster by running the command in the PowerShell console.

Test-EsxiCertMgmtChecks -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -signedCertificate $signedCertificate -issuer $issuer

Install a Certificate¶

The Install-VCFCertificate cmdlet will replace the certificate for an ESXi host or for each ESXi host in a cluster. You must provide the directory containing the signed certificate files. Certificate names should be in format .cer (e.g., sfo01-m01-esx01.sfo.rainpole.io.cer.) The workflow will put the ESXi host in maintenance mode (with full data migration for vSAN only), disconnect the ESXi host from the vCenter Server, replace the certificate, restart the ESXi host, and the exit maintenance mode once the ESXi host is online.

Install a Certificate to Each ESXi Host in a Cluster¶

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$cluster = "sfo-m01-cl01"
$certificateDirectory = 'F:\Certificates'
$certificateFileExt = ".cer"

Install a Certificate for each ESXi host in cluster by running the command in the PowerShell console.

Install-VCFCertificate -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -cluster $cluster -certificateDirectory $certificateDirectory -certificateFileExt $certificateFileExt

Install a Certificate to an ESXi Host¶

Start PowerShell (Run as Administrator).

Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.

Example:

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "admin@local"
$sddcManagerPass = "VMw@re1!VMw@re1!"
$workloadDomain = "sfo-m01"
$esxiFqdn = 'sfo01-m01-esx01.sfo.rainpole.io'
$certificateDirectory = 'F:\Certificates'
$certificateFileExt = ".cer"

Install a certificate to an ESXi host by running the command in the PowerShell console.

Install-VCFCertificate -esxi -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -esxiFqdn $esxiFqdn -certificateDirectory $certificateDirectory -certificateFileExt $certificateFileExt