com.vmware.vcenter.certificate_management package

Submodules

com.vmware.vcenter.certificate_management.vcenter_client module

The com.vmware.vcenter.certificate_management.vcenter_client module provides classes to manage certificates.

class com.vmware.vcenter.certificate_management.vcenter_client.SigningCertificate(config)

Bases: VapiInterface

The SigningCertificate interface provides methods to view and manage vCenter signing certificates which are used to sign and verify tokens issued by vCenter token service. Versioning is the same as for the com.vmware.vcenter package. 1.23 - vSphere 7.0 U3. This class was added in vSphere API 7.0.3.0.

Parameters:

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Info(active_cert_chain=None, signing_cert_chains=None)

Bases: VapiStruct

The SigningCertificate.Info class contains data that represents vCenter signing certificates. This class was added in vSphere API 7.0.3.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • active_cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – The certificate chain that is actively being use by vCenter token service to sign tokens. This attribute was added in vSphere API 7.0.3.0.

  • signing_cert_chains (list of com.vmware.vcenter.certificate_management_client.X509CertChain) – List of signing certificate chains for validating vCenter-issued tokens. The list contains X509 certificate chains, each of which is ordered and contains the leaf, intermediate and root certs needed for the complete chain of trust. The leaf certificate is first in the chain and should be used for verifying vCenter-issued tokens. This attribute was added in vSphere API 7.0.3.0.

class SetSpec(signing_cert_chain=None, private_key=None)

Bases: VapiStruct

The SigningCertificate.SetSpec class contains data to set the active vCenter signing certificate. This class was added in vSphere API 7.0.3.0.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • signing_cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – Signing certificate chain that the vCenter token service will actively use to sign tokens. The chain must include a valid certificate chain with the leaf cert marked for digital signature key usage. This attribute was added in vSphere API 7.0.3.0.

  • private_key (str) – The corresponding unencrypted PKCS#8 private key in base64-encoded PEM format. This attribute was added in vSphere API 7.0.3.0.

get()

Retrieve the signing certificate chains for validating vCenter-issued tokens. This method was added in vSphere API 7.0.3.0.

Return type:

SigningCertificate.Info

Returns:

The active certificate chain and signing certificate chains for validating tokens.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

refresh(force=None)

Refresh the vCenter signing certificate chain. The new signing certificate will be issued in accordance with vCenter CA policy and set as the active signing certificate for the vCenter token service. The certificate will immediately be used to sign tokens issued by vCenter token service. If a third-party/custom certificate has been configured as the signing certificate for compliance reasons, refresh may take vCenter out of compliance. This method was added in vSphere API 7.0.3.0.

Parameters:

force (bool or None) – Will force refresh in environments that would otherwise prevent refresh from occurring, such as a mixed-version environment. Force refresh may leave systems in the local vCenter domain in a non-functional state until they are restarted. If None, then refresh will not be forced.

Return type:

com.vmware.vcenter.certificate_management_client.X509CertChain

Returns:

The signing certificate chain created during the refresh.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

set(spec)

Set the active signing certificate for vCenter. The certificate will immediately be used to sign tokens issued by vCenter token service. This method was added in vSphere API 7.0.3.0.

Parameters:

spec (SigningCertificate.SetSpec) – Signing certificate chain and private key which the vCenter token service will actively use to sign tokens.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

class com.vmware.vcenter.certificate_management.vcenter_client.StubFactory(stub_config)

Bases: StubFactoryBase

Initialize StubFactoryBase

Parameters:

stub_config (vmware.vapi.bindings.stub.StubConfiguration) – Stub config instance

class com.vmware.vcenter.certificate_management.vcenter_client.Tls(config)

Bases: VapiInterface

The Tls interface provides methods to replace Tls certificate. This class was added in vSphere API 6.7.2.

Parameters:

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Info(version=None, serial_number=None, signature_algorithm=None, issuer_dn=None, valid_from=None, valid_to=None, subject_dn=None, thumbprint=None, is_ca=None, path_length_constraint=None, key_usage=None, extended_key_usage=None, subject_alternative_name=None, authority_information_access_uri=None, cert=None)

Bases: VapiStruct

The Tls.Info class contains information from a TLS certificate. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • version (long) – Version (version number) value from the certificate. This attribute was added in vSphere API 6.7.2.

  • serial_number (str) – SerialNumber value from the certificate. This attribute was added in vSphere API 6.7.2.

  • signature_algorithm (str) – Signature algorithm name from the certificate. This attribute was added in vSphere API 6.7.2.

  • issuer_dn (str) – Issuer (issuer distinguished name) value from the certificate. This attribute was added in vSphere API 6.7.2.

  • valid_from (datetime.datetime) – validFrom specify the start date of the certificate. This attribute was added in vSphere API 6.7.2.

  • valid_to (datetime.datetime) – validTo specify the end date of the certificate. This attribute was added in vSphere API 6.7.2.

  • subject_dn (str) – Subject (subject distinguished name) value from the certificate. This attribute was added in vSphere API 6.7.2.

  • thumbprint (str) – Thumbprint value from the certificate. This attribute was added in vSphere API 6.7.2.

  • is_ca (bool) – Certificate constraints isCA from the critical BasicConstraints extension, (OID = 2.5.29.19). This attribute was added in vSphere API 6.7.2.

  • path_length_constraint (long) – Certificate constraints path length from the critical BasicConstraints extension, (OID = 2.5.29.19). This attribute was added in vSphere API 6.7.2.

  • key_usage (list of str) – Collection of keyusage contained in the certificate. This attribute was added in vSphere API 6.7.2.

  • extended_key_usage (list of str) – Collection of extended keyusage that contains details for which the certificate can be used for. This attribute was added in vSphere API 6.7.2.

  • subject_alternative_name (list of str) – Collection of subject alternative names. This attribute was added in vSphere API 6.7.2.

  • authority_information_access_uri (list of str) – Collection of authority information access URI. This attribute was added in vSphere API 6.7.2.

  • cert (str) – TLS certificate in PEM format. This attribute was added in vSphere API 6.7.2.

class ReplaceSpec(key_size=None, common_name=None, organization=None, organization_unit=None, locality=None, state_or_province=None, country=None, email_address=None, subject_alt_name=None)

Bases: VapiStruct

The Tls.ReplaceSpec class contains information to generate a Private Key , CSR and hence VMCA signed machine SSL. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • key_size (long or None) – The size of the key to be used for public and private key generation. This attribute was added in vSphere API 6.7.2. If None the key size will be ‘3072’.

  • common_name (str or None) – The common name of the host for which certificate is generated. This attribute was added in vSphere API 6.7.2. If None will default to PNID of host.

  • organization (str) – Organization field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • organization_unit (str) –

    Organization unit field in certificate subject.

    CA Browser forum announced that “CAs MUST NOT include the organizationalUnitName field”. So OU is no longer needed and an empty string should be used to leave it unset.. This attribute was added in vSphere API 6.7.2.

  • locality (str) – Locality field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • state_or_province (str) – State field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • country (str) – Country field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • email_address (str) – Email field in Certificate extensions. This attribute was added in vSphere API 6.7.2.

  • subject_alt_name (list of str or None) – SubjectAltName is list of Dns Names and Ip addresses. This attribute was added in vSphere API 6.7.2. If None PNID of host will be used as IPAddress or Hostname for certificate generation .

class Spec(cert=None, key=None, root_cert=None)

Bases: VapiStruct

The Tls.Spec class contains information for a Certificate and Private Key. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • cert (str) – Certificate string in PEM format. This attribute was added in vSphere API 6.7.2.

  • key (str or None) – Private key string in PEM format. This attribute was added in vSphere API 6.7.2. If None the private key from the certificate store will be used. It is required when replacing the certificate with a third party signed certificate.

  • root_cert (str or None) – Third party Root CA certificate in PEM format. This attribute was added in vSphere API 6.9.1. If None the new third party root CA certificate will not be added to the trust store. It is required when replacing the certificate with a third party signed certificate if the root certificate of the third party is not already a trusted root.

get()

Returns the rhttpproxy TLS certificate. This method was added in vSphere API 6.7.2.

Return type:

Tls.Info

Returns:

TLS certificate.

Raise:

com.vmware.vapi.std.errors_client.NotFound if the rhttpproxy certificate is not present in VECS store.

Raise:

com.vmware.vapi.std.errors_client.Error if failed due to generic exception.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

renew(duration=None)

Renews the TLS certificate for the given duration period.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.. This method was added in vSphere API 6.7.2.

Parameters:

duration (long or None) – The duration (in days) of the new TLS certificate. The duration should be less than or equal to 730 days. If None, the duration will be 730 days (two years).

Raise:

com.vmware.vapi.std.errors_client.Unsupported If the TLS certificate is not VMCA generated.

Raise:

com.vmware.vapi.std.errors_client.InvalidArgument If the duration period specified is invalid.

Raise:

com.vmware.vapi.std.errors_client.Error If the system failed to renew the TLS certificate.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

replace_vmca_signed(spec)

Replace MACHINE SSL with VMCA signed one with the given Spec.The system will go for restart.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.. This method was added in vSphere API 6.9.1.

Parameters:

spec (Tls.ReplaceSpec) – The information needed to generate VMCA signed Machine SSL

Raise:

com.vmware.vapi.std.errors_client.InvalidArgument If the Spec given is not complete or invalid

Raise:

com.vmware.vapi.std.errors_client.Error If the system failed to replace the machine ssl certificate

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

set(spec)

Replaces the rhttpproxy TLS certificate with the specified certificate. This method can be used in three scenarios :

  1. When the CSR is created and the private key is already stored, this method can replace the certificate. The Tls.Spec.cert (but not Tls.Spec.key and Tls.Spec.root_cert) must be provided as input.

  2. When the certificate is signed by a third party certificate authority/VMCA and the root certificate of the third party certificate authority/VMCA is already one of the trusted roots in the trust store, this method can replace the certificate and private key. The Tls.Spec.cert and Tls.Spec.key (but not Tls.Spec.root_cert) must be provided as input.

  3. When the certificate is signed by a third party certificate authority and the root certificate of the third party certificate authority is not one of the trusted roots in the trust store, this method can replace the certificate, private key and root CA certificate. The Tls.Spec.cert,:attr:Tls.Spec.key and Tls.Spec.root_cert must be provided as input.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.

The above three scenarios are only supported from vsphere 7.0 onwards.. This method was added in vSphere API 6.7.2.

Parameters:

spec (Tls.Spec) – The information needed to replace the TLS certificate.

Raise:

com.vmware.vapi.std.errors_client.NotFound If the private key is not present in the VECS store.

Raise:

com.vmware.vapi.std.errors_client.AlreadyExists If the specified certificate thumbprint is the same as the existing TLS certificate thumbprint.

Raise:

com.vmware.vapi.std.errors_client.Error If the system failed to replace the TLS certificate.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.

class com.vmware.vcenter.certificate_management.vcenter_client.TlsCsr(config)

Bases: VapiInterface

The TlsCsr interface provides methods to generate certificate signing request. This class was added in vSphere API 6.7.2.

Parameters:

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class Info(csr=None)

Bases: VapiStruct

The TlsCsr.Info class contains information for a Certificate signing request. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

csr (str) – Certificate Signing Request in PEM format. This attribute was added in vSphere API 6.7.2.

class Spec(key_size=None, common_name=None, organization=None, organization_unit=None, locality=None, state_or_province=None, country=None, email_address=None, subject_alt_name=None)

Bases: VapiStruct

The TlsCsr.Spec class contains information to generate a Private Key and CSR. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • key_size (long or None) – The size of the key to be used for public and private key generation. This attribute was added in vSphere API 6.7.2. If None, the key size will be 3072 bits.

  • common_name (str or None) – Common name field in certificate subject. This attribute was added in vSphere API 6.7.2. If None, the common name will be the PNID.

  • organization (str) – Organization field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • organization_unit (str) –

    Organization unit field in certificate subject.

    CA Browser forum announced that “CAs MUST NOT include the organizationalUnitName field”. So OU is no longer needed and an empty string should be used to leave it unset.. This attribute was added in vSphere API 6.7.2.

  • locality (str) – Locality field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • state_or_province (str) – State field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • country (str) – Country field in certificate subject. This attribute was added in vSphere API 6.7.2.

  • email_address (str) – Email field in Certificate extensions. This attribute was added in vSphere API 6.7.2.

  • subject_alt_name (list of str or None) – Subject Alternative Name field is list of Dns Names and Ip addresses. This attribute was added in vSphere API 6.7.2. If None, the subject alternative name will contain the PNID.

create(spec)

Generates a CSR with the given Spec. This method was added in vSphere API 6.7.2.

Parameters:

spec (TlsCsr.Spec) – The information needed to create a CSR.

Return type:

TlsCsr.Info

Returns:

A Certificate Signing Request.

Raise:

com.vmware.vapi.std.errors_client.Error If CSR could not be created for given spec for a generic error.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Manage and CertificateManagement.Administer.

class com.vmware.vcenter.certificate_management.vcenter_client.TrustedRootChains(config)

Bases: VapiInterface

The TrustedRootChains interface provides methods to create, modify, delete and read trusted root certificate chains. This class was added in vSphere API 6.7.2.

Parameters:

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class CreateSpec(cert_chain=None, chain=None)

Bases: VapiStruct

The TrustedRootChains.CreateSpec class contains information to create a trusted root certificate chain. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – Certificate chain in base64 encoding. This attribute was added in vSphere API 6.7.2.

  • chain (str or None) – Unique identifier for this trusted root. Client can specify at creation as long as it is unique, otherwise one will be generated. An example of a client providing the identifier would be if this trusted root is associated with a VC trust. In this case the identifier would be the domain id. This attribute was added in vSphere API 6.7.2. A unique id will be generated if not given.

class Info(cert_chain=None)

Bases: VapiStruct

The TrustedRootChains.Info class contains information for a trusted root certificate chain. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

cert_chain (com.vmware.vcenter.certificate_management_client.X509CertChain) – A certificate chain in base64 encoding. This attribute was added in vSphere API 6.7.2.

class Summary(chain=None)

Bases: VapiStruct

The TrustedRootChains.Summary class contains a trusted root certificate chain summary suitable for UI presentation. This class was added in vSphere API 6.7.2.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

chain (str) – Unique identifier for chain. This attribute was added in vSphere API 6.7.2.

create(spec)

Creates a new trusted root certificate chain from the CreateSpec. This method was added in vSphere API 6.7.2.

Parameters:

spec (TrustedRootChains.CreateSpec) – The information needed to create a trusted root certificate chain.

Return type:

str

Returns:

The unique identifier for the new trusted root chain.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise:

com.vmware.vapi.std.errors_client.AlreadyExists if a trusted root certificate chain exists with id in given spec.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Manage and CertificateManagement.Administer.

delete(chain)

Deletes trusted root certificate chain for a given identifier. This method was added in vSphere API 6.7.2.

Parameters:

chain (str) – Unique identifier for a trusted root cert chain.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise:

com.vmware.vapi.std.errors_client.NotFound if a trusted root certificate chain does not exist for given id.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Manage and CertificateManagement.Administer.

get(chain)

Retrieve a trusted root certificate chain for a given identifier. This method was added in vSphere API 6.7.2.

Parameters:

chain (str) – Unique identifier for a trusted root cert chain.

Return type:

TrustedRootChains.Info

Returns:

TrustedRootChain.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise:

com.vmware.vapi.std.errors_client.NotFound if a trusted root certificate chain does not exist for given id.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

list()

Returns summary information for each trusted root certificate chain. This method was added in vSphere API 6.7.2.

Return type:

list of TrustedRootChains.Summary

Returns:

List of trusted root certificate chains summaries.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if authorization is not given to caller.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires System.Read.

class com.vmware.vcenter.certificate_management.vcenter_client.VmcaRoot(config)

Bases: VapiInterface

The VmcaRoot interface provides methods to replace VMware Certificate Authority (VMCA) root certificate. This class was added in vSphere API 6.9.1.

Parameters:

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class CreateSpec(key_size=None, common_name=None, organization=None, organization_unit=None, locality=None, state_or_province=None, country=None, email_address=None, subject_alt_name=None)

Bases: VapiStruct

The VmcaRoot.CreateSpec contains information. to generate a Private Key and CSR. This class was added in vSphere API 6.9.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters:

  • key_size (long or None) – The size of the key to be used for public and private key generation. This attribute was added in vSphere API 6.9.1. If None the key size will be 3072.

  • common_name (str or None) – The common name of the host for which certificate is generated. This attribute was added in vSphere API 6.9.1. If None the common name will be the primary network identifier (PNID) of the vCenter Virtual Server Appliance (VCSA).

  • organization (str or None) – Organization field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the organization will be ‘VMware’.

  • organization_unit (str or None) – Organization unit field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the organization unit will not be set in the certificate subject.

  • locality (str or None) – Locality field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the locality will be ‘Palo Alto’.

  • state_or_province (str or None) – State field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the state will be ‘California’.

  • country (str or None) – Country field in certificate subject. This attribute was added in vSphere API 6.9.1. If None the country will be ‘US’.

  • email_address (str or None) – Email field in Certificate extensions. This attribute was added in vSphere API 6.9.1. If None the emailAddress will be ‘email\@acme.com’.

  • subject_alt_name (list of str or None) – SubjectAltName is list of Dns Names and Ip addresses. This attribute was added in vSphere API 6.9.1. If None PNID of host will be used as IPAddress or Hostname for certificate generation.

create(spec=None)

Replace Root Certificate with VMCA signed one using the given Spec.

After this method completes, the services using the certificate will be restarted for the new certificate to take effect.. This method was added in vSphere API 6.9.1.

Parameters:

spec (VmcaRoot.CreateSpec or None) – The information needed to generate VMCA signed Root Certificate. Default values will be set for all null parameters.

Raise:

com.vmware.vapi.std.errors_client.Error If the system failed to renew the TLS certificate.

Raise:

com.vmware.vapi.std.errors_client.Unsupported If the operation is executed on a platform where it is not supported. This exception was added in vSphere API 8.0.2.0.

Raise:

com.vmware.vapi.std.errors_client.Unauthorized if you do not have all of the privileges described as follows:

  • Method execution requires CertificateManagement.Administer.