com.vmware.vcenter.certificate_management package

Submodules

com.vmware.vcenter.certificate_management.vcenter_client module

The com.vmware.vcenter.certificate_management.vcenter_client module provides classes to manage certificates.

class com.vmware.vcenter.certificate_management.vcenter_client.SigningCertificate(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The SigningCertificate interface provides methods to view and manage vCenter signing certificates which are used to sign and verify tokens issued by vCenter token service. Versioning is the same as for the com.vmware.vcenter package. 1.23 - vSphere 7.0 U3. This class was added in vSphere API 7.0.3.0.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Info(active_cert_chain=None, signing_cert_chains=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The SigningCertificate.Info class contains data that represents vCenter signing certificates. This class was added in vSphere API 7.0.3.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • active_cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – The certificate chain that is actively being use by vCenter token service to sign tokens. This attribute was added in vSphere API 7.0.3.0.

  • signing_cert_chains (list of com.vmware.vcenter.certificate_management_client.X509CertChain) – List of signing certificate chains for validating vCenter-issued tokens. The list contains X509 certificate chains, each of which is ordered and contains the leaf, intermediate and root certs needed for the complete chain of trust. The leaf certificate is first in the chain and should be used for verifying vCenter-issued tokens. This attribute was added in vSphere API 7.0.3.0.

class SetSpec(signing_cert_chain=None, private_key=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The SigningCertificate.SetSpec class contains data to set the active vCenter signing certificate. This class was added in vSphere API 7.0.3.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • signing_cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – Signing certificate chain that the vCenter token service will actively use to sign tokens. The chain must include a valid certificate chain with the leaf cert marked for digital signature key usage. This attribute was added in vSphere API 7.0.3.0.

  • private_key (str) – The corresponding unencrypted PKCS#8 private key in base64-encoded PEM format. This attribute was added in vSphere API 7.0.3.0.

get()

Retrieve the signing certificate chains for validating vCenter-issued tokens. This method was added in vSphere API 7.0.3.0.

Return type

SigningCertificate.Info

Returns

The active certificate chain and signing certificate chains for validating tokens.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

refresh(force=None)

Refresh the vCenter signing certificate chain. The new signing certificate will be issued in accordance with vCenter CA policy and set as the active signing certificate for the vCenter token service. The certificate will immediately be used to sign tokens issued by vCenter token service. If a third-party/custom certificate has been configured as the signing certificate for compliance reasons, refresh may take vCenter out of compliance. This method was added in vSphere API 7.0.3.0.

Parameters

force (bool or None) – Will force refresh in environments that would otherwise prevent refresh from occurring, such as a mixed-version environment. Force refresh may leave systems in the local vCenter domain in a non-functional state until they are restarted. If None, then refresh will not be forced.

Return type

com.vmware.vcenter.certificate_management_client.X509CertChain

Returns

The signing certificate chain created during the refresh.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

set(spec)

Set the active signing certificate for vCenter. The certificate will immediately be used to sign tokens issued by vCenter token service. This method was added in vSphere API 7.0.3.0.

Parameters

spec (SigningCertificate.SetSpec) – Signing certificate chain and private key which the vCenter token service will actively use to sign tokens.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

class com.vmware.vcenter.certificate_management.vcenter_client.StubFactory(stub_config)

Bases: vmware.vapi.bindings.stub.StubFactoryBase

Initialize StubFactoryBase

Parameters

stub_config (vmware.vapi.bindings.stub.StubConfiguration) – Stub config instance

class com.vmware.vcenter.certificate_management.vcenter_client.Tls(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The Tls interface provides methods to replace Tls certificate. This class was added in vSphere API 6.7.2.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Info(version=None, serial_number=None, signature_algorithm=None, issuer_dn=None, valid_from=None, valid_to=None, subject_dn=None, thumbprint=None, is_ca=None, path_length_constraint=None, key_usage=None, extended_key_usage=None, subject_alternative_name=None, authority_information_access_uri=None, cert=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Tls.Info class contains information from a TLS certificate. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • version (long) – Version (version number) value from the certificate. This attribute was added in vSphere API 6.7.2.

  • serial_number (str) – SerialNumber value from the certificate. This attribute was added in vSphere API 6.7.2.

  • signature_algorithm (str) – Signature algorithm name from the certificate. This attribute was added in vSphere API 6.7.2.

  • issuer_dn (str) – Issuer (issuer distinguished name) value from the certificate. This attribute was added in vSphere API 6.7.2.

  • valid_from (datetime.datetime) – validFrom specify the start date of the certificate. This attribute was added in vSphere API 6.7.2.

  • valid_to (datetime.datetime) – validTo specify the end date of the certificate. This attribute was added in vSphere API 6.7.2.

  • subject_dn (str) – Subject (subject distinguished name) value from the certificate. This attribute was added in vSphere API 6.7.2.

  • thumbprint (str) – Thumbprint value from the certificate. This attribute was added in vSphere API 6.7.2.

  • is_ca (bool) – Certificate constraints isCA from the critical BasicConstraints extension, (OID = 2.5.29.19). This attribute was added in vSphere API 6.7.2.

  • path_length_constraint (long) – Certificate constraints path length from the critical BasicConstraints extension, (OID = 2.5.29.19). This attribute was added in vSphere API 6.7.2.

  • key_usage (list of str) – Collection of keyusage contained in the certificate. This attribute was added in vSphere API 6.7.2.

  • extended_key_usage (list of str) – Collection of extended keyusage that contains details for which the certificate can be used for. This attribute was added in vSphere API 6.7.2.

  • subject_alternative_name (list of str) – Collection of subject alternative names. This attribute was added in vSphere API 6.7.2.

  • authority_information_access_uri (list of str) – Collection of authority information access URI. This attribute was added in vSphere API 6.7.2.

  • cert (str) – TLS certificate in PEM format. This attribute was added in vSphere API 6.7.2.

class ReplaceSpec(key_size=None, common_name=None, organization=None, organization_unit=None, locality=None, state_or_province=None, country=None, email_address=None, subject_alt_name=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Tls.ReplaceSpec class contains information to generate a Private Key , CSR and hence VMCA signed machine SSL. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • key_size (long or None) – The size of the key to be used for public and private key generation. This attribute was added in vSphere API 6.7.2. If None the key size will be ‘3072’.

  • common_name (str or None) – The common name of the host for which certificate is generated. This attribute was added in vSphere API 6.7.2. If None will default to PNID of host.

  • organization (str) – Organization field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • organization_unit (str) –

    Organization unit field in certificate subject.

    CA Browser forum announced that “CAs MUST NOT include the organizationalUnitName field”. So OU is no longer needed and an empty string should be used to leave it unset.. This attribute was added in vSphere API 6.7.2.

  • locality (str) – Locality field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • state_or_province (str) – State field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • country (str) – Country field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • email_address (str) – Email field in Certificate extensions. This attribute was added in vSphere API 6.7.2.

  • subject_alt_name (list of str or None) – SubjectAltName is list of Dns Names and Ip addresses. This attribute was added in vSphere API 6.7.2. If None PNID of host will be used as IPAddress or Hostname for certificate generation .

class Spec(cert=None, key=None, root_cert=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Tls.Spec class contains information for a Certificate and Private Key. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • cert (str) – Certificate string in PEM format. This attribute was added in vSphere API 6.7.2.

  • key (str or None) – Private key string in PEM format. This attribute was added in vSphere API 6.7.2. If None the private key from the certificate store will be used. It is required when replacing the certificate with a third party signed certificate.

  • root_cert (str or None) – Third party Root CA certificate in PEM format. This attribute was added in vSphere API 6.9.1. If None the new third party root CA certificate will not be added to the trust store. It is required when replacing the certificate with a third party signed certificate if the root certificate of the third party is not already a trusted root.

get()

Returns the rhttpproxy TLS certificate. This method was added in vSphere API 6.7.2.

Return type

Tls.Info

Returns

TLS certificate.

Raise

com.vmware.vapi.std.errors_client.NotFound if the rhttpproxy certificate is not present in VECS store.

Raise

com.vmware.vapi.std.errors_client.Error if failed due to generic exception.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

renew(duration=None)

Renews the TLS certificate for the given duration period.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.. This method was added in vSphere API 6.7.2.

Parameters

duration (long or None) – The duration (in days) of the new TLS certificate. The duration should be less than or equal to 730 days. If None, the duration will be 730 days (two years).

Raise

com.vmware.vapi.std.errors_client.Unsupported If the TLS certificate is not VMCA generated.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument If the duration period specified is invalid.

Raise

com.vmware.vapi.std.errors_client.Error If the system failed to renew the TLS certificate.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

replace_vmca_signed(spec)

Replace MACHINE SSL with VMCA signed one with the given Spec.The system will go for restart.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.. This method was added in vSphere API 6.9.1.

Parameters

spec (Tls.ReplaceSpec) – The information needed to generate VMCA signed Machine SSL

Raise

com.vmware.vapi.std.errors_client.InvalidArgument If the Spec given is not complete or invalid

Raise

com.vmware.vapi.std.errors_client.Error If the system failed to replace the machine ssl certificate

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

set(spec)

Replaces the rhttpproxy TLS certificate with the specified certificate. This method can be used in three scenarios :

  1. When the CSR is created and the private key is already stored, this method can replace the certificate. The Tls.Spec.cert (but not Tls.Spec.key and Tls.Spec.root_cert) must be provided as input.

  2. When the certificate is signed by a third party certificate authority/VMCA and the root certificate of the third party certificate authority/VMCA is already one of the trusted roots in the trust store, this method can replace the certificate and private key. The Tls.Spec.cert and Tls.Spec.key (but not Tls.Spec.root_cert) must be provided as input.

  3. When the certificate is signed by a third party certificate authority and the root certificate of the third party certificate authority is not one of the trusted roots in the trust store, this method can replace the certificate, private key and root CA certificate. The Tls.Spec.cert,:attr:Tls.Spec.key and Tls.Spec.root_cert must be provided as input.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.

The above three scenarios are only supported from vsphere 7.0 onwards.. This method was added in vSphere API 6.7.2.

Parameters

spec (Tls.Spec) – The information needed to replace the TLS certificate.

Raise

com.vmware.vapi.std.errors_client.NotFound If the private key is not present in the VECS store.

Raise

com.vmware.vapi.std.errors_client.AlreadyExists If the specified certificate thumbprint is the same as the existing TLS certificate thumbprint.

Raise

com.vmware.vapi.std.errors_client.Error If the system failed to replace the TLS certificate.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

class com.vmware.vcenter.certificate_management.vcenter_client.TlsCsr(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The TlsCsr interface provides methods to generate certificate signing request. This class was added in vSphere API 6.7.2.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Info(csr=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The TlsCsr.Info class contains information for a Certificate signing request. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

csr (str) – Certificate Signing Request in PEM format. This attribute was added in vSphere API 6.7.2.

class Spec(key_size=None, common_name=None, organization=None, organization_unit=None, locality=None, state_or_province=None, country=None, email_address=None, subject_alt_name=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The TlsCsr.Spec class contains information to generate a Private Key and CSR. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • key_size (long or None) – The size of the key to be used for public and private key generation. This attribute was added in vSphere API 6.7.2. If None, the key size will be 3072 bits.

  • common_name (str or None) – Common name field in certificate subject. This attribute was added in vSphere API 6.7.2. If None, the common name will be the PNID.

  • organization (str) – Organization field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • organization_unit (str) –

    Organization unit field in certificate subject.

    CA Browser forum announced that “CAs MUST NOT include the organizationalUnitName field”. So OU is no longer needed and an empty string should be used to leave it unset.. This attribute was added in vSphere API 6.7.2.

  • locality (str) – Locality field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • state_or_province (str) – State field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • country (str) – Country field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • email_address (str) – Email field in Certificate extensions. This attribute was added in vSphere API 6.7.2.

  • subject_alt_name (list of str or None) – Subject Alternative Name field is list of Dns Names and Ip addresses. This attribute was added in vSphere API 6.7.2. If None, the subject alternative name will contain the PNID.

create(spec)

Generates a CSR with the given Spec. This method was added in vSphere API 6.7.2.

Parameters

spec (TlsCsr.Spec) – The information needed to create a CSR.

Return type

TlsCsr.Info

Returns

A Certificate Signing Request.

Raise

com.vmware.vapi.std.errors_client.Error If CSR could not be created for given spec for a generic error.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Manage and CertificateManagement.Administer.

class com.vmware.vcenter.certificate_management.vcenter_client.TrustedRootChains(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The TrustedRootChains interface provides methods to create, modify, delete and read trusted root certificate chains. This class was added in vSphere API 6.7.2.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class CreateSpec(cert_chain=None, chain=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The TrustedRootChains.CreateSpec class contains information to create a trusted root certificate chain. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – Certificate chain in base64 encoding. This attribute was added in vSphere API 6.7.2.

  • chain (str or None) – Unique identifier for this trusted root. Client can specify at creation as long as it is unique, otherwise one will be generated. An example of a client providing the identifier would be if this trusted root is associated with a VC trust. In this case the identifier would be the domain id. This attribute was added in vSphere API 6.7.2. A unique id will be generated if not given.

class Info(cert_chain=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The TrustedRootChains.Info class contains information for a trusted root certificate chain. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – A certificate chain in base64 encoding. This attribute was added in vSphere API 6.7.2.

class Summary(chain=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The TrustedRootChains.Summary class contains a trusted root certificate chain summary suitable for UI presentation. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

chain (str) – Unique identifier for chain. This attribute was added in vSphere API 6.7.2.

create(spec)

Creates a new trusted root certificate chain from the CreateSpec. This method was added in vSphere API 6.7.2.

Parameters

spec (TrustedRootChains.CreateSpec) – The information needed to create a trusted root certificate chain.

Return type

str

Returns

The unique identifier for the new trusted root chain.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise

com.vmware.vapi.std.errors_client.AlreadyExists if a trusted root certificate chain exists with id in given spec.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Manage and CertificateManagement.Administer.

delete(chain)

Deletes trusted root certificate chain for a given identifier. This method was added in vSphere API 6.7.2.

Parameters

chain (str) – Unique identifier for a trusted root cert chain.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise

com.vmware.vapi.std.errors_client.NotFound if a trusted root certificate chain does not exist for given id.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Manage and CertificateManagement.Administer.

get(chain)

Retrieve a trusted root certificate chain for a given identifier. This method was added in vSphere API 6.7.2.

Parameters

chain (str) – Unique identifier for a trusted root cert chain.

Return type

TrustedRootChains.Info

Returns

TrustedRootChain.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise

com.vmware.vapi.std.errors_client.NotFound if a trusted root certificate chain does not exist for given id.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

list()

Returns summary information for each trusted root certificate chain. This method was added in vSphere API 6.7.2.

Return type

list of TrustedRootChains.Summary

Returns

List of trusted root certificate chains summaries.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

class com.vmware.vcenter.certificate_management.vcenter_client.VmcaRoot(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The VmcaRoot interface provides methods to replace VMware Certificate Authority (VMCA) root certificate. This class was added in vSphere API 6.9.1.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class CreateSpec(key_size=None, common_name=None, organization=None, organization_unit=None, locality=None, state_or_province=None, country=None, email_address=None, subject_alt_name=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The VmcaRoot.CreateSpec contains information. to generate a Private Key and CSR. This class was added in vSphere API 6.9.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters

  • key_size (long or None) – The size of the key to be used for public and private key generation. This attribute was added in vSphere API 6.9.1. If None the key size will be 3072.

  • common_name (str or None) – The common name of the host for which certificate is generated. This attribute was added in vSphere API 6.9.1. If None the common name will be the primary network identifier (PNID) of the vCenter Virtual Server Appliance (VCSA).

  • organization (str or None) – Organization field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the organization will be ‘VMware’.

  • organization_unit (str or None) – Organization unit field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the organization unit will not be set in the certificate subject.

  • locality (str or None) – Locality field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the locality will be ‘Palo Alto’.

  • state_or_province (str or None) – State field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the state will be ‘California’.

  • country (str or None) – Country field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the country will be ‘US’.

  • email_address (str or None) – Email field in Certificate extensions. This attribute was added in vSphere API 6.9.1. If None the emailAddress will be ‘email\@acme.com’.

  • subject_alt_name (list of str or None) – SubjectAltName is list of Dns Names and Ip addresses. This attribute was added in vSphere API 6.9.1. If None PNID of host will be used as IPAddress or Hostname for certificate generation.

create(spec=None)

Replace Root Certificate with VMCA signed one using the given Spec.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.. This method was added in vSphere API 6.9.1.

Parameters

spec (VmcaRoot.CreateSpec or None) – The information needed to generate VMCA signed Root Certificate. Default values will be set for all null parameters.

Raise

com.vmware.vapi.std.errors_client.Error If the system failed to renew the TLS certificate.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.