To establish trust, the vSphere Trust Authority Cluster requires information about the Trusted Cluster's ESXi hosts and vCenter Server. You export this information as files for importing into the Trust Authority Cluster. You must ensure to keep these files confidential and transport them securely.

You use vSphere Trust Authority PowerCLI cmdlets to export the following information as files from the ESXi hosts in the Trusted Cluster for the Trust Authority Cluster to know what software and hardware to trust.

  • ESXi version
  • TPM manufacturer (CA certificate)
  • (Optional) Individual TPM (EK certificate)
Note: Store these exported files in a secure location, in case you must restore the vSphere Trust Authority configuration.

If you have hosts of the same type and vendor, and manufactured during the same timeframe and location, you might be able to trust all TPMs by obtaining the CA certificate of only one of the TPMs. To trust an individual TPM, you obtain the EK certificate of the TPM.

You must also obtain the principal information from the Trusted Cluster's vCenter Server. The principal information contains the vpxd solution user and its certificate chain. The principal information enables the Trusted Cluster's vCenter Server to discover the available trusted key providers configured on the Trust Authority Cluster.

To configure vSphere Trust Authority initially, you must collect the ESXi version and TPM information. Also, you must collect the ESXi version each time after you deploy a new version of ESXi, including when you upgrade or apply a patch.

You collect the vCenter Server principal information only one time per vCenter Server system.

Prerequisites

  • Identify the ESXi versions and TPM hardware types that are in the Trusted Cluster, and whether you want to trust all TPM hardware types, only certain ones, or individual hosts.
  • On the machine from which you run the PowerCLI cmdlets, create a local folder in which to save the information you export as files.
  • Enable the Trust Authority Administrator.
  • Enable the Trust Authority State.

Procedure

  1. In a PowerCLI session, run the following commands to disconnect any current connection and connect as the root user to one of the ESXi hosts in the Trusted Cluster.
    Disconnect-VIServer -server * -Confirm:$false
    Connect-VIServer -server host_ip_address -User root -Password 'password'
  2. Run the Get-VMHost cmdlet to confirm the ESXi host.
    Get-VMHost
    The host information is displayed.
  3. Assign Get-VMHost to a variable.
    For example:
    $vmhost = Get-VMHost
  4. Run the Export-Tpm2CACertificate cmdlet to export the CA certificate of a given TPM manufacturer.
    1. Assign Get-Tpm2EndorsementKey -VMHost $vmhost to a variable.
      For example, this command assigns Get-Tpm2EndorsementKey -VMHost $vmhost to the variable $tpm2.
      $tpm2 = Get-Tpm2EndorsementKey -VMHost $vmhost
    2. Run the Export-Tpm2CACertificate cmdlet.
      For example, this command exports the TPM certificate to the cacert.zip file. Ensure that the destination directory exists before running this command.
      Export-Tpm2CACertificate -Tpm2EndorsementKey $tpm2 -FilePath C:\vta\cacert.zip
      The file is created.
    3. Repeat for each TPM hardware type in the cluster that you want to trust. Use a different file name for each TMP hardware type so that you do not overwrite a previously exported file.
  5. Run the Export-VMHostImageDb cmdlet to export the ESXi host description of software (the ESXi image).
    For example, this command exports the information to the image.tgz file. Ensure that the destination directory exists before running this command.
    Export-VMHostImageDb -VMHost $vmhost -FilePath C:\vta\image.tgz
    Note: The Export-VMHostImageDb cmdlet also works if you prefer to log in to the vCenter Server of the Trusted Cluster.
    The file is created.

    Repeat for each ESXi version in the cluster that you want to trust. Use a different file name for each version so that you do not overwrite a previously exported file.

  6. Export the Trusted Cluster's vCenter Server principal information.
    1. Disconnect from the ESXi host.
      Disconnect-VIServer -server * -Confirm:$false
    2. Connect to the vCenter Server of the Trusted Cluster using the Trust Authority administrator user. (Alternatively, you can use a user that has Administrator privileges.)
      Connect-VIServer -server TrustedCluster_VC_ip_address -User trust_admin_user -Password 'password'
    3. To export the Trusted Cluster's vCenter Server principal information, run the Export-TrustedPrincipal cmdlet.
      For example, this command exports the information to the principal.json file. Ensure that the destination directory exists before running this command.
      Export-TrustedPrincipal -FilePath C:\vta\principal.json
      The file is created.
  7. (Optional) If you want to trust an individual host, you must export the TPM EK public key certificate.

Results

The following files are created:

  • TPM CA certificate file (.zip file extension)
  • ESXi image file (.tgz file extension)
  • vCenter Server principal file (.json file extension)

Example: Collecting Information About ESXi Hosts and vCenter Server to Be Trusted

This example shows how to use PowerCLI to export the ESXi host information and the vCenter Server Principal. The following table shows the example components and values that are used.

Table 1. Example vSphere Trust Authority Setup
Component Value
ESXi host in Trusted Cluster 192.168.110.51
vCenter Server for Trusted Cluster 192.168.110.22
Variable $vmhost Get-VMHost
Variable $tpm2 Get-Tpm2EndorsementKey -VMHost $vmhost
Trust Authority administrator trustedadmin@vsphere.local
Local directory to contain output files C:\vta
PS C:\Users\Administrator.CORP> Connect-VIServer -server 192.168.110.51 -User root -Password 'VMware1!'

Name                           Port  User
----                           ----  ----
192.168.110.51                  443  root

PS C:\Users\Administrator.CORP> Get-VMHost

Name               ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz MemoryUsageGB MemoryTotalGB Version
----               --------------- ---------- ------ ----------- ----------- ------------- ------------- -------
192.168.110.51     Connected       PoweredOn       4         200        9576         1.614         7.999   7.0.0

PS C:\Users\Administrator.CORP> $vmhost = Get-VMHost
PS C:\Users\Administrator.CORP> $tpm2 = Get-Tpm2EndorsementKey -VMHost $vmhost
PS C:\> Export-Tpm2CACertificate -Tpm2EndorsementKey $tpm2 -FilePath C:\vta\cacert.zip

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/8/2019   6:55 PM           1004 cacert.zip

PS C:\Users\Administrator.CORP> Export-VMHostImageDb -VMHost $vmhost -FilePath C:\vta\image.tgz

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         10/8/2019  11:02 PM          2391 image.tgz

PS C:\Users\Administrator.CORP> Disconnect-VIServer -server * -Confirm:$false
PS C:\Users\Administrator.CORP> Connect-VIServer -server 192.168.110.22 -User trustedadmin@vsphere.local -Password 'VMware1!'

Name                           Port  User
----                           ----  ----
192.168.110.22                  443  VSPHERE.LOCAL\trustedadmin

PS C:\Users\Administrator.CORP> Export-TrustedPrincipal -FilePath C:\vta\principal.json

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         10/8/2019  11:14 PM           1873 principal.json

What to do next

Continue with Import the Trusted Host Information to the Trust Authority Cluster.