You import the exported ESXi host and vCenter Server information into the vSphere Trust Authority Cluster, so that the Trust Authority Cluster knows which hosts it can attest.

If you are following these tasks in order, you are still connected to the vCenter Server of the Trust Authority Cluster.

Prerequisites

Procedure

  1. Ensure that you are connected as the Trust Authority administrator to the vCenter Server of the Trust Authority Cluster.
    For example, you can enter $global:defaultviservers to show all the connected servers.
  2. (Optional) If necessary, you can run the following commands to ensure that you are connected to the vCenter Server of the Trust Authority Cluster.
    Disconnect-VIServer -server * -Confirm:$false
    Connect-VIServer -server TrustAuthorityCluster_VC_ip_address -User trust_admin_user -Password 'password'
  3. To show the clusters managed by this vCenter Server, run the Get-TrustAuthorityCluster cmdlet.
    Get-TrustAuthorityCluster
    The clusters are displayed.
  4. Assign the Get-TrustAuthorityCluster 'cluster' information to a variable.
    For example, this command assigns the information for cluster vTA Cluster to the variable $vTA.
    $vTA = Get-TrustAuthorityCluster 'vTA Cluster'
  5. To import the vCenter Server principal information of the Trusted Cluster into the Trust Authority Cluster, run the New-TrustAuthorityPrincipal cmdlet.
    For example, the following command imports the principal.json file previously exported in Collect Information About ESXi Hosts and vCenter Server to Be Trusted.
    New-TrustAuthorityPrincipal -TrustAuthorityCluster $vTA -FilePath C:\vta\principal.json
    The TrustAuthorityPrincipal information is displayed.
  6. To verify the import, run the Get-TrustAuthorityPrincipal cmdlet.
    For example:
    Get-TrustAuthorityPrincipal -TrustAuthorityCluster $vTA
    The imported TrustAuthorityPrincipal information is displayed.
  7. To import the Trusted Platform Module (TPM) CA certificate information, run the New-TrustAuthorityTpm2CACertificate cmdlet.
    For example, the following command imports the TPM CA certificate information from the cacert.zip file previously exported in Collect Information About ESXi Hosts and vCenter Server to Be Trusted.
    New-TrustAuthorityTpm2CACertificate -TrustAuthorityCluster $vTA -FilePath C:\vta\cacert.zip 
    The imported certificate information is displayed.
  8. To import the ESXi host base image information, run the New-TrustAuthorityVMHostBaseImage cmdlet.
    For example, the following command imports the image information from the image.tgz file previously exported in Collect Information About ESXi Hosts and vCenter Server to Be Trusted.
    New-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $vTA -FilePath C:\vta\image.tgz
    The imported image information is displayed.

Results

The Trust Authority Cluster knows which ESXi hosts it can remotely attest, and so, which hosts it can trust.

Example: Import the Trusted Host Information to the Trust Authority Cluster

This example shows how to use PowerCLI to import the vCenter Server principal information of the Trusted Cluster and the Trusted Host information files to the Trust Authority Cluster. It assumes that you are connected to the vCenter Server of the Trust Authority Cluster as the Trust Authority administrator. The following table shows the example components and values that are used.

Table 1. Example vSphere Trust Authority Setup
Component Value
Variable $vTA Get-TrustAuthorityCluster 'vTA Cluster1'
vCenter Server for Trust Authority Cluster 192.168.210.22
Trust Authority Cluster names

vTA Cluster1 (Enabled)

vTA Cluster2 (Disabled)

Principal information file C:\vta\principal.json
TPM certificate file C:\vta\cacert.cer
ESXi host base image file C:\vta\image.tgz
Trust Authority administrator trustedadmin@vsphere.local
PS C:\Users\Administrator> Disconnect-VIServer -server * -Confirm:$false
PS C:\Users\Administrator> Connect-VIServer -server 192.168.210.22 -User trustedadmin@vsphere.local -Password 'VMware1!'

Name                           Port  User
----                           ----  ----
192.168.210.22                  443  VSPHERE.LOCAL\trustedadmin

PS C:\Users\Administrator> Get-TrustAuthorityCluster

Name                 State                Id
----                 -----                --
vTA Cluster1         Enabled              TrustAuthorityCluster-domain-c8
vTA Cluster2         Disabled             TrustAuthorityCluster-domain-c26

PS C:\Users\Administrator> $vTA = Get-TrustAuthorityCluster 'vTA Cluster1'

PS C:\Users\Administrator.CORP> New-TrustAuthorityPrincipal -TrustAuthorityCluster $vTA -FilePath C:\vta\principal.json

Name                                          Domain          Type       TrustAuthorityClusterId
----                                          ------          ----       -----------------------
vpxd-de207929-0601-43ef-9616-47d0cee0302f     vsphere.local   STS_USER   TrustAuthorityCluster-domain-c8

PS C:\Users\Administrator.CORP> Get-TrustAuthorityPrincipal -TrustAuthorityCluster $vTA

Name                                          Domain          Type       TrustAuthorityClusterId
----                                          ------          ----       -----------------------
vpxd-de207929-0601-43ef-9616-47d0cee0302f     vsphere.local   STS_USER   TrustAuthorityCluster-domain-c8

PS C:\Users\Administrator.CORP> New-TrustAuthorityTpm2CACertificate -TrustAuthorityCluster $vTA -FilePath C:\vta\cacert.cer

TrustAuthorityClusterId                  Name                                     Health
-----------------------                  ----                                     ------
TrustAuthorityCluster-domain-c8          52BDB7B4B2F55C925C047257DED4588A7767D961 Ok

PS C:\Users\Administrator.CORP> New-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $vTA -FilePath C:\vta\image.tgz

TrustAuthorityClusterId                  VMHostVersion                            Health
-----------------------                  -------------                            ------
TrustAuthorityCluster-domain-c8          ESXi 7.0.0-0.0.14828939                  Ok

What to do next

Continue with Create the Key Provider on the Trust Authority Cluster.