VMware vCenter with PowerShell

tdmarchetta · September 28, 2023, 3:18pm

I’m trying to automate the process of creating and renewing TLS certificates for my VMware vCenter servers using Certify the web and PowerShell. I want to use PowerShell to push the certificates to the vCenter servers after they are created or renewed by Certify the web. Does anyone have any experience or tips on how to do this? Here is what I have so far:

param($result) # Required to access the $result parameter

#Loads all Module(s)
Try { Import-Module -Name VMware.PowerCLI -ErrorAction Stop }
Catch { Write-Host "Unable to load VMware.PowerCLI module, Please, run 'Install-Module -Name VMware.PowerCLI -AllowClobber -Force'" -ForegroundColor Red; Exit }

if ($result.IsSuccess) {
    # Edit Variables Below
    $FQDM               = "vcenter.vmware.com" # E.G. vcenter.vmware.com
    $vCenterUsername    = "username"
    $vCenterPassword    = "Your_Password"
    # Do Not Edit Below This Point

    # Setup to connect to a VMware vCenter.
    $vCenterConnection = Connect-VIServer -Server $FQDM -User $vCenterUsername -Password $vCenterPassword

    # Connect to a VMware vCenter
    $vCenterConnection

    # Getting new certs
    $certificatePem = Get-Content -Path "C:\CTW\FullChain\$($FQDM)\$($FQDM).pem" -Raw
    $certificatePrivKeyPem = Get-Content -Path "C:\CTW\FullChain\$($FQDM)\$($FQDM).privkey.pem" -Raw
    # You will need manualy push up CA cert(s)

    # Update the vCenter certificate
    Try { Set-VIMachineCertificate -PemCertificate $certificatePem -PemKey $certificatePrivKeyPem -ErrorAction Stop }
    Catch { Write-Host "Failed to update vCenter certificate. Error: $_" -ForegroundColor Red }

    # Cleans up TLS certs.
    Get-VITrustedCertificate | Where-Object { $_.NotValidAfter -lt (Get-Date) } | Remove-VITrustedCertificate
    
    # Disconnect from vCenter
    Disconnect-VIServer -Server $FQDM -Confirm:$false
}

webprofusion · September 29, 2023, 1:57am

I haven’t tried it but this looks good to me based on their documentation and Managing vSphere Certificates with PowerCLI - VMware PowerCLI Blog

I presume you have a Deploy to Generic Server task or a couple of Export Certificate tasks already to get the component files you need.

You may be able to use PowerShell Secrets or some other secrets vault to avoid storing the pwd in your script.

Do you currently have it working or or you hitting any problems?

gerdesj · October 15, 2023, 11:38pm

At https://my-little-vcentre.example.co.uk there is a link to download Download trusted root CA certificates at the far right. You can pop the vCentre CA cert into Group Policy or /usr/local/shared/ca-whereverubuntuordebianputsthem/ and run update-ca-something. Anyway, browser CA trust is well documented when you work out what you are actually looking for!

You can’t grab a SSL cert from Lets Encrypt that you can use to mint your own certs (ie an intermediate CA), so I suggest you drop that line of enquiry.