Certificates APIs

Certificates APIs

APIs for managing Certificates

Table of Contents

1. Install Certificates By Online Mode

The following steps have to be followed to install certificates signed by VCF supporting certificate authorities (Microsoft CA and OpenSSL CA).

1.1. Prerequisites

  • The SDDC Manager should be up and running.

  • The resources of the target domain (e.g. MGMT) should be in ACTIVE state.

1.2. Steps

  • Check the configured certificate authorities

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/certificate-authorities' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/certificate-authorities HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 383

{
  "elements" : [ {
    "id" : "OpenSSL",
    "commonName" : "OpenSSL CA",
    "country" : "IN",
    "state" : "Karnataka",
    "locality" : "Bengaluru",
    "organization" : "VMware Inc.",
    "organizationUnit" : "VCF"
  }, {
    "id" : "Microsoft",
    "username" : "Administrator",
    "serverUrl" : "https://sfo-ad.rainpole.io/certsrv",
    "templateName" : "WebServer"
  } ]
}

Tip : Refer to: Get certificate authorities information API

  • Configure a certificate authority (either "Microsoft" or "OpenSSL") if it is not configured

Configure "Microsoft" certificate authority
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/certificate-authorities' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "microsoftCertificateAuthoritySpec" : {
    "username" : "Administrator",
    "secret" : "********",
    "serverUrl" : "https://sfo-ad.rainpole.io/certsrv",
    "templateName" : "WebServer"
  }
}'

HTTP Request

PUT /v1/certificate-authorities HTTP/1.1
Content-Type: application/json
Content-Length: 199
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "microsoftCertificateAuthoritySpec" : {
    "username" : "Administrator",
    "secret" : "********",
    "serverUrl" : "https://sfo-ad.rainpole.io/certsrv",
    "templateName" : "WebServer"
  }
}

HTTP Response

HTTP/1.1 200 OK

Configure "OpenSSL" certificate authority
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/certificate-authorities' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "openSSLCertificateAuthoritySpec" : {
    "commonName" : "OpenSSL CA",
    "country" : "IN",
    "state" : "Karnataka",
    "locality" : "Bengaluru",
    "organization" : "VMware Inc.",
    "organizationUnit" : "VCF"
  }
}'

HTTP Request

PUT /v1/certificate-authorities HTTP/1.1
Content-Type: application/json
Content-Length: 226
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "openSSLCertificateAuthoritySpec" : {
    "commonName" : "OpenSSL CA",
    "country" : "IN",
    "state" : "Karnataka",
    "locality" : "Bengaluru",
    "organization" : "VMware Inc.",
    "organizationUnit" : "VCF"
  }
}

HTTP Response

HTTP/1.1 200 OK

Tip : Refer to: Create a certificate authority API

  • Reconfigure the certificate authority if required

Reconfigure "Microsoft" certificate authority
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/certificate-authorities' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "microsoftCertificateAuthoritySpec" : {
    "templateName" : "WebServer"
  }
}'

HTTP Request

PATCH /v1/certificate-authorities HTTP/1.1
Content-Type: application/json
Content-Length: 82
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "microsoftCertificateAuthoritySpec" : {
    "templateName" : "WebServer"
  }
}

HTTP Response

HTTP/1.1 200 OK

Reconfigure "OpenSSL" certificate authority
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/certificate-authorities' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "openSSLCertificateAuthoritySpec" : {
    "commonName" : "OpenSSL CA"
  }
}'

HTTP Request

PATCH /v1/certificate-authorities HTTP/1.1
Content-Type: application/json
Content-Length: 79
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "openSSLCertificateAuthoritySpec" : {
    "commonName" : "OpenSSL CA"
  }
}

HTTP Response

HTTP/1.1 200 OK

Tip : Refer to: Configure existing certificate authority API

  • Verify that the certificate authority is successfully configured by invoking the API with type of CA as the ID (optional)

Verify configuration for "Microsoft" certificate authority
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/certificate-authorities/Microsoft' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/certificate-authorities/Microsoft HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 142

{
  "id" : "Microsoft",
  "username" : "Administrator",
  "serverUrl" : "https://sfo-ad.rainpole.io/certsrv",
  "templateName" : "WebServer"
}

Verify configuration for "OpenSSL" certificate authority
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/certificate-authorities/OpenSSL' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/certificate-authorities/OpenSSL HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 190

{
  "id" : "OpenSSL",
  "commonName" : "OpenSSL CA",
  "country" : "IN",
  "state" : "Karnataka",
  "locality" : "Bengaluru",
  "organization" : "VMware Inc.",
  "organizationUnit" : "VCF"
}

Tip : Refer to: Get certificate authority information API

  • After the successful certificate authority configuration, generate CSR by invoking the API

Tip : If "resources" field is not given then operations are performed on all the resources in the domain.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "csrGenerationSpec" : {
    "country" : "IN",
    "state" : "Karnataka",
    "locality" : "Bengaluru",
    "organization" : "VMware Inc.",
    "organizationUnit" : "VCF",
    "email" : "[email protected]",
    "keySize" : "3072",
    "keyAlgorithm" : "RSA"
  },
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}'

HTTP Request

PUT /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs HTTP/1.1
Content-Type: application/json
Content-Length: 352
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "csrGenerationSpec" : {
    "country" : "IN",
    "state" : "Karnataka",
    "locality" : "Bengaluru",
    "organization" : "VMware Inc.",
    "organizationUnit" : "VCF",
    "email" : "[email protected]",
    "keySize" : "3072",
    "keyAlgorithm" : "RSA"
  },
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}

HTTP Response

HTTP/1.1 202 Accepted
Location: /v1/tasks/0c2b7dc1-83d0-48a7-a270-b292abc0048b
Content-Type: application/json
Content-Length: 79

{
  "id" : "0c2b7dc1-83d0-48a7-a270-b292abc0048b",
  "status" : "IN_PROGRESS"
}

Tip : Refer to: Generate CSR(s) API

  • Poll the status of the task using the task API with the ID from the response of the previous API until "status" is not "IN_PROGRESS".

Tip : Refer to: Get a Task.

  • If the "status" is "SUCCESSFUL", the task is completed successfully.

  • If the "status" is "FAILED", execute the generate CSR request again.

  • After successful CSR generation, generate the certificates signed by supported certificates authorities (either OpenSSL or Microsoft) by invoking the API

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "caType" : "Microsoft",
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}'

HTTP Request

PUT /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates HTTP/1.1
Content-Type: application/json
Content-Length: 115
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "caType" : "Microsoft",
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}

HTTP Response

HTTP/1.1 202 Accepted
Location: /v1/tasks/5ef2fce5-5714-410b-aa8f-18a7767e024c
Content-Type: application/json
Content-Length: 79

{
  "id" : "5ef2fce5-5714-410b-aa8f-18a7767e024c",
  "status" : "IN_PROGRESS"
}

Tip : Refer to: Generate certificate(s) for the selected resource(s) in a domain API

  • Poll the status of the task using the task API with the ID from the response of the previous API until "status" is not "IN_PROGRESS".

Tip : Refer to: Get a Task.

  • If the "status" is "SUCCESSFUL", the task is completed successfully.

  • If the "status" is "FAILED", execute the generate certificate request again.

  • If the generation of certificates is successful, fetch the contents of the generated certificates to check for which resources certificates are generated by invoking the API (optional)

Note : The following will display only the list of certificates generated from the SDDC manager.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 949

{
  "elements" : [ {
    "isInstalled" : false,
    "version" : "V3",
    "serialNumber" : "46:85:19:77:36:12:67:26",
    "issuedTo" : "sfo-vc01.rainpole.io",
    "issuedBy" : "CN=OpenSSL CA, OU=VCF, O=VMware, L=Bengaluru, ST=Karnataka, C=IN",
    "notBefore" : "2023-04-27T18:05:11.631Z",
    "notAfter" : "2024-05-29T18:05:11.631Z",
    "signatureAlgorithm" : "SHA256withRSA",
    "subject" : "CN=sfo-vc01.rainpole.io, OU=VCF, O=VMware, L=Bengaluru, ST=Karnataka, C=IN",
    "subjectAlternativeName" : [ "sfo-vc01.rainpole.io" ],
    "publicKey" : "D6:FD:DF:33:F1:...",
    "publicKeyAlgorithm" : "RSA",
    "keySize" : "3072",
    "thumbprintAlgorithm" : "SHA-256",
    "thumbprint" : "59:24:D5:18:04:A0:26:B0:A4:05:EA:82:60:95:82:A2:4B:F6:31:FB:81:93:01:F3:29:7D:34:9C:D3:05:39:90",
    "numberOfDaysToExpire" : 398,
    "expirationStatus" : "ACTIVE",
    "pemEncoded" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
  } ]
}

Tip : Refer to: Get latest generated certificate(s) in a domain API

  • After successful certificate generation, install the signed certificates on remote resources by invoking the API

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "operationType" : "INSTALL",
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}'

HTTP Request

PATCH /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates HTTP/1.1
Content-Type: application/json
Content-Length: 120
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "operationType" : "INSTALL",
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}

HTTP Response

HTTP/1.1 202 Accepted
Location: /v1/tasks/81c4cd7b-ff31-4aaa-b0f4-f3db934e0a5c
Content-Type: application/json
Content-Length: 79

{
  "id" : "81c4cd7b-ff31-4aaa-b0f4-f3db934e0a5c",
  "status" : "IN_PROGRESS"
}

Tip : Refer to: Replace certificate(s) for the selected resource(s) in a domain API

  • Poll the status of the task using the task API with the ID from the response of the previous API until "status" is not "IN_PROGRESS".

Tip : Refer to: Get a Task.

  • If the "status" is "SUCCESSFUL", the task is completed successfully.

  • If the "status" is "FAILED", the task can be re-executed.

Tip : Refer to: Retry a Task

  • Fetch the installed certificates by invoking the API (optional)

Note : The following will display the list of installed certificates.

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 948

{
  "elements" : [ {
    "isInstalled" : true,
    "version" : "V3",
    "serialNumber" : "46:85:19:77:36:12:67:26",
    "issuedTo" : "sfo-vc01.rainpole.io",
    "issuedBy" : "CN=OpenSSL CA, OU=VCF, O=VMware, L=Bengaluru, ST=Karnataka, C=IN",
    "notBefore" : "2023-04-27T18:05:11.732Z",
    "notAfter" : "2024-05-29T18:05:11.732Z",
    "signatureAlgorithm" : "SHA256withRSA",
    "subject" : "CN=sfo-vc01.rainpole.io, OU=VCF, O=VMware, L=Bengaluru, ST=Karnataka, C=IN",
    "subjectAlternativeName" : [ "sfo-vc01.rainpole.io" ],
    "publicKey" : "D6:FD:DF:33:F1:...",
    "publicKeyAlgorithm" : "RSA",
    "keySize" : "3072",
    "thumbprintAlgorithm" : "SHA-256",
    "thumbprint" : "59:24:D5:18:04:A0:26:B0:A4:05:EA:82:60:95:82:A2:4B:F6:31:FB:81:93:01:F3:29:7D:34:9C:D3:05:39:90",
    "numberOfDaysToExpire" : 398,
    "expirationStatus" : "ACTIVE",
    "pemEncoded" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
  } ]
}

Tip : Refer to: View certificate of all the resources in a domain API

Warning : Certificate installation will replace the already installed certificates.

Note : The CSRs cannot be fetched after successful certificate installation.

Note : Only singleton object of a particular certificate authority will exist at any point of time in the VCF environment.

Note : Only the latest generated CSRs will exist in the VCF environment after a series of generate CSR operation.

Note : Only the latest generated certificates will exist in the VCF environment after a series of generate certificate operation.

2. Install Certificates By Offline Mode

The following steps have to be followed to install certificates signed by external third party certificate authorities.

2.1. Prerequisites

  • The SDDC Manager should be up and running.

  • The resources of the target domain (e.g. MGMT) should be in ACTIVE state.

2.2. Steps

  • Generate CSR by invoking the API

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "csrGenerationSpec" : {
    "country" : "IN",
    "state" : "Karnataka",
    "locality" : "Bengaluru",
    "organization" : "VMware Inc.",
    "organizationUnit" : "VCF",
    "email" : "[email protected]",
    "keySize" : "3072",
    "keyAlgorithm" : "RSA"
  },
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}'

HTTP Request

PUT /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs HTTP/1.1
Content-Type: application/json
Content-Length: 352
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "csrGenerationSpec" : {
    "country" : "IN",
    "state" : "Karnataka",
    "locality" : "Bengaluru",
    "organization" : "VMware Inc.",
    "organizationUnit" : "VCF",
    "email" : "[email protected]",
    "keySize" : "3072",
    "keyAlgorithm" : "RSA"
  },
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}

HTTP Response

HTTP/1.1 202 Accepted
Location: /v1/tasks/0c2b7dc1-83d0-48a7-a270-b292abc0048b
Content-Type: application/json
Content-Length: 79

{
  "id" : "0c2b7dc1-83d0-48a7-a270-b292abc0048b",
  "status" : "IN_PROGRESS"
}

Tip : Refer to: Generate CSR(s) API

  • Poll the status of the task using the task API with the ID from the response of the previous API until "status" is not "IN_PROGRESS".

Tip : Refer to: Get a Task.

  • If the "status" is "SUCCESSFUL", the task is completed successfully.

  • If the "status" is "FAILED", execute the generate CSR request again.

  • If the generation of CSR is successful, either get available CSR(s) in "json" format or download available CSR(s) in ".tar.gz" format.

Get available CSR(s) in "json" format
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 227

{
  "elements" : [ {
    "csrEncodedContent" : "-----BEGIN CERTIFICATE REQUEST-----\nMIIEH...\n-----END CERTIFICATE REQUEST-----",
    "resource" : {
      "fqdn" : "sfo-vc01.rainpole.io",
      "type" : "VCENTER"
    }
  } ]
}

Tip : Refer to: Get available CSR(s) in json format API

Download available CSR(s) in ".tar.gz" format
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs/downloads' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/csrs/downloads HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 24
Content-Disposition: attachment; filename="MGMT.tar.gz"
Accept-Ranges: bytes

<binary .tar.gz content>

Tip : Refer to: Download available CSR(s) in tar.gz format API

  • Use the downloaded CSRs to have it manually signed by external certificate authorities.

  • Validate the signed certificate before installation by invoking the API (optional)

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates/validations' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '[ {
  "resourceFqdn" : "sfo-vc01.rainpole.io",
  "resourceCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----",
  "caCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
}, {
  "resourceId" : "BE8A5E04-92A0-43F6-A166-AA041F4327CC",
  "certificateChain" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
} ]'

HTTP Request

PUT /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates/validations HTTP/1.1
Content-Type: application/json
Content-Length: 581
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

[ {
  "resourceFqdn" : "sfo-vc01.rainpole.io",
  "resourceCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----",
  "caCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
}, {
  "resourceId" : "BE8A5E04-92A0-43F6-A166-AA041F4327CC",
  "certificateChain" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
} ]

HTTP Response

HTTP/1.1 201 Created
Location: /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates/validations/B1930850-7D1A-4BAA-89D7-52FD5DAD196A
Content-Type: application/json
Content-Length: 500

{
  "validationId" : "B1930850-7D1A-4BAA-89D7-52FD5DAD196A",
  "startTimestamp" : "2023-04-27T18:05:12.117Z",
  "completed" : false,
  "validations" : [ {
    "resourceFqdn" : "sfo-vc01.rainpole.io",
    "startTimestamp" : "2023-04-27T18:05:12.117Z",
    "endTimestamp" : "2023-04-27T18:05:17.117Z",
    "validationStatus" : "SUCCESSFUL"
  }, {
    "resourceId" : "BE8A5E04-92A0-43F6-A166-AA041F4327CC",
    "startTimestamp" : "2023-04-27T18:05:12.117Z",
    "validationStatus" : "INPROGRESS"
  } ]
}

Tip : Refer to: Validate resource certificates API

  • Poll the status of the certificate validation using the validation task API with the validation ID from the response of the previous API until "completed" is not "true".

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates/validations/B1930850-7D1A-4BAA-89D7-52FD5DAD196A' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates/validations/B1930850-7D1A-4BAA-89D7-52FD5DAD196A HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 640

{
  "validationId" : "B1930850-7D1A-4BAA-89D7-52FD5DAD196A",
  "startTimestamp" : "2023-04-27T18:05:11.934Z",
  "endTimestamp" : "2023-04-27T18:05:16.934Z",
  "completed" : true,
  "validations" : [ {
    "resourceFqdn" : "sfo-vc01.rainpole.io",
    "startTimestamp" : "2023-04-27T18:05:11.934Z",
    "endTimestamp" : "2023-04-27T18:05:16.934Z",
    "validationStatus" : "SUCCESSFUL"
  }, {
    "resourceId" : "BE8A5E04-92A0-43F6-A166-AA041F4327CC",
    "startTimestamp" : "2023-04-27T18:05:11.934Z",
    "endTimestamp" : "2023-04-27T18:05:16.934Z",
    "validationStatus" : "FAILED",
    "validationMessage" : "Certificate Expired"
  } ]
}

Tip : Refer to: Get the resource certificate validation result API

  • If the certificate validation is successful, the signed certificates can be uploaded and installed in either ".tar.gz" format or in "json" format.

Upload and install signed certificates in ".tar.gz" format

  • Create a ".tar.gz" file with the following directory structure:

    • The name of the top-level directory must exactly match the name of the domain to which certificates are to be installed.

    • The PEM-encoded root CA certificate chain file (rootca.crt) must reside inside this top-level directory.

    • This directory must contain one sub-directory for each component resource and the name of each sub-directory must exactly match the resource fqdn.

    • Each sub-directory must contain a corresponding ".crt" file, whose name must exactly match the resource fqdn followed by ".crt" extension.

  • Upload the packaged signed certificates by invoking the API

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates/uploads' -i -X PUT \
    -H 'Content-Type: multipart/form-data' \
    -H 'Authorization: Bearer etYWRta....' \
    -F '[email protected];type=application/gzip'

HTTP Request

PUT /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates/uploads HTTP/1.1
Content-Type: multipart/form-data; boundary=6o2knFse3p53ty9dmcQvWAIx1zInP11uCfbm
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

--6o2knFse3p53ty9dmcQvWAIx1zInP11uCfbm
Content-Disposition: form-data; name=file; filename=MGMT.tar.gz
Content-Type: application/gzip

<binary .tar.gz content>
--6o2knFse3p53ty9dmcQvWAIx1zInP11uCfbm--

HTTP Response

HTTP/1.1 200 OK

Tip : Refer to: Upload certificates to the certificate store API

  • After successful upload operation, install the signed certificates on remote resources by invoking the API

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '{
  "operationType" : "INSTALL",
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}'

HTTP Request

PATCH /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/certificates HTTP/1.1
Content-Type: application/json
Content-Length: 120
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

{
  "operationType" : "INSTALL",
  "resources" : [ {
    "fqdn" : "sfo-vc01.rainpole.io",
    "type" : "VCENTER"
  } ]
}

HTTP Response

HTTP/1.1 202 Accepted
Location: /v1/tasks/81c4cd7b-ff31-4aaa-b0f4-f3db934e0a5c
Content-Type: application/json
Content-Length: 79

{
  "id" : "81c4cd7b-ff31-4aaa-b0f4-f3db934e0a5c",
  "status" : "IN_PROGRESS"
}

Tip : Refer to: Replace certificate(s) for the selected resource(s) in a domain API

  • Poll the status of the task using the task API with the ID from the response of the previous API until "status" is not "IN_PROGRESS".

Tip : Refer to: Get a Task.

  • If the "status" is "SUCCESSFUL", the task is completed successfully.

  • If the "status" is "FAILED", the task can be re-executed.

Tip : Refer to: Retry a Task

Upload and install signed certificates in "json" format
cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer etYWRta....' \
    -d '[ {
  "resourceFqdn" : "sfo-vc01.rainpole.io",
  "resourceCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----",
  "caCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
}, {
  "resourceId" : "BE8A5E04-92A0-43F6-A166-AA041F4327CC",
  "certificateChain" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
} ]'

HTTP Request

PUT /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates HTTP/1.1
Content-Type: application/json
Content-Length: 581
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

[ {
  "resourceFqdn" : "sfo-vc01.rainpole.io",
  "resourceCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----",
  "caCertificate" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
}, {
  "resourceId" : "BE8A5E04-92A0-43F6-A166-AA041F4327CC",
  "certificateChain" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
} ]

HTTP Response

HTTP/1.1 202 Accepted
Location: /v1/tasks/7773481b-ebec-4561-873c-ef5e7387b2c4
Content-Type: application/json
Content-Length: 79

{
  "id" : "7773481b-ebec-4561-873c-ef5e7387b2c4",
  "status" : "IN_PROGRESS"
}

Tip : Refer to: Replace resource certificates API

  • Poll the status of the task using the task API with the ID from the response of the previous API until "status" is not "IN_PROGRESS".

Tip : Refer to: Get a Task.

  • If the "status" is "SUCCESSFUL", the task is completed successfully.

  • If the "status" is "FAILED", the task can be re-executed.

Tip : Refer to: Retry a Task

  • Fetch the installed certificates by invoking the API (optional)

cURL Request

$ curl 'https://sfo-vcf01.rainpole.io/v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates' -i -X GET \
    -H 'Authorization: Bearer etYWRta....'

HTTP Request

GET /v1/domains/3E86FBAD-8984-4D4B-992D-F0C49857572A/resource-certificates HTTP/1.1
Host: sfo-vcf01.rainpole.io
Authorization: Bearer etYWRta....

HTTP Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 948

{
  "elements" : [ {
    "isInstalled" : true,
    "version" : "V3",
    "serialNumber" : "46:85:19:77:36:12:67:26",
    "issuedTo" : "sfo-vc01.rainpole.io",
    "issuedBy" : "CN=OpenSSL CA, OU=VCF, O=VMware, L=Bengaluru, ST=Karnataka, C=IN",
    "notBefore" : "2023-04-27T18:05:11.732Z",
    "notAfter" : "2024-05-29T18:05:11.732Z",
    "signatureAlgorithm" : "SHA256withRSA",
    "subject" : "CN=sfo-vc01.rainpole.io, OU=VCF, O=VMware, L=Bengaluru, ST=Karnataka, C=IN",
    "subjectAlternativeName" : [ "sfo-vc01.rainpole.io" ],
    "publicKey" : "D6:FD:DF:33:F1:...",
    "publicKeyAlgorithm" : "RSA",
    "keySize" : "3072",
    "thumbprintAlgorithm" : "SHA-256",
    "thumbprint" : "59:24:D5:18:04:A0:26:B0:A4:05:EA:82:60:95:82:A2:4B:F6:31:FB:81:93:01:F3:29:7D:34:9C:D3:05:39:90",
    "numberOfDaysToExpire" : 398,
    "expirationStatus" : "ACTIVE",
    "pemEncoded" : "-----BEGIN CERTIFICATE-----\nMIIFq...\n-----END CERTIFICATE-----"
  } ]
}

Tip : Refer to: View certificate of all the resources in a domain API

Warning : Certificate installation will replace the already installed certificates.

Note : The CSRs cannot be fetched or downloaded after successful certificate installation.

Note : Only the latest generated CSRs will exist in the VCF environment after a series of generate CSR operation.

Note : Only the latest uploaded certificates will exist in the VCF environment after a series of upload certificate operation.

Last updated 2023-04-27 11:11:38 PDT

Operations
PATCH
Configure Certificate Authority
Configure existing certificate authority
PUT
Create Certificate Authority
Create a certificate authority
PUT
Decode Cert Chain Using PUT
decodeCertChain
DELETE
Delete Ca Configuration
Deletes CA configuration file
GET
Download CSR
Download available CSR(s) in tar.gz format
PUT
Generate Certificates
Generate certificate(s) for the selected resource(s) in a domain
PUT
Generates CS Rs
Generate CSR(s)
GET
Get Certificate Authorities
Get certificate authorities information
GET
Get Certificate Authority By Id
Get certificate authority information
GET
Get Certificates
Get latest generated certificate(s) in a domain.
GET
Get CS Rs
Get available CSR(s) in json format
GET
Get Resource Certificates Validation Result
Get the resource certificate validation result
PATCH
Replace Certificates
Replace certificate(s) for the selected resource(s) in a domain
PUT
Replace Resource Certificates
Replace resource certificates
PUT
Upload Certificates
Upload certificates to the certificate store
PUT
Validate Resource Certificates
Validate resource certificates
GET
View Certificate
View certificate of all the resources in a domain