You can export a TPM endorsement key (EK) certificate from an ESXi host, and import it to the vSphere Trust Authority Cluster. You do so when you want to trust an individual ESXi host in the Trusted Cluster.
To import a TPM EK certificate into the Trust Authority Cluster, you must change the Trust Authority Cluster's default attestation type to accept EK certificates. The default attestation type accepts TPM Certificate Authority (CA) certificates. Some TPMs do not include EK certificates. If you want to trust individual ESXi hosts, the TPM must include an EK certificate.
Prerequisites
Procedure
Results
The Trust Authority Cluster's attestation type is changed to accept EK certificates. The EK certificate is exported from the Trusted Cluster and imported to the Trust Authority Cluster.
Example: Export and Import a TPM EK Certificate
This example shows how to use PowerCLI to change the Trust Authority Cluster's default attestation type to accept EK certificates, export the TPM EK certificate from the ESXi host in the Trusted Cluster, and import it to the Trust Authority Cluster. The following table shows the example components and values that are used.
Component | Value |
---|---|
vCenter Server for Trust Authority Cluster | 192.168.210.22 |
Variable $vTA |
Get-TrustAuthorityCluster 'vTA Cluster' |
Variable $tpm2Settings |
Get-TrustAuthorityTpm2AttestationSettings -TrustAuthorityCluster $vTA |
Variable $vmhost |
Get-VMHost |
ESXi host in Trusted Cluster | 192.168.110.51 |
Trust Authority administrator | trustedadmin@vsphere.local |
Local directory to contain output file | C:\vta |
PS C:\Users\Administrator> Connect-VIServer -server 192.168.210.22 -User trustedadmin@vsphere.local -Password 'VMware1!' Name Port User ---- ---- ---- 192.168.210.22 443 VSPHERE.LOCAL\TrustedAdmin PS C:\Users\Administrator> Get-TrustAuthorityCluster Name State Id ---- ----- -- vTA Cluster Enabled TrustAuthorityCluster-domain-c8 PS C:\Users\Administrator> $vTA = Get-TrustAuthorityCluster 'vTA Cluster' PS C:\Users\Administrator> $tpm2Settings = Get-TrustAuthorityTpm2AttestationSettings -TrustAuthorityCluster $vTA PS C:\Users\Administrator> Set-TrustAuthorityTpm2AttestationSettings -Tpm2AttestationSettings $tpm2Settings -RequireEndorsementKey Confirmation Configure the Tpm2AttestationSettings 'TrustAuthorityTpm2AttestationSettings-domain-c8' with the following parameters: RequireCertificateValidation: False RequireEndorsementKey: True [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Name RequireEndorsementKey RequireCertificateValidation Health ---- --------------------- ---------------------------- ------ TrustAuthorityTpm2AttestationSettings... True False Ok PS C:\Users\Administrator> Disconnect-VIServer -server * -Confirm:$false PS C:\Users\Administrator> Connect-VIServer -server 192.168.110.51 -User root -Password 'VMware1!' Name Port User ---- ---- ---- 192.168.110.51 443 root PS C:\Users\Administrator> Get-VMHost Name ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz MemoryUsageGB MemoryTotalGB Version ---- --------------- ---------- ------ ----------- ----------- ------------- ------------- ------- 192.168.110.51 Connected PoweredOn 4 55 9576 1.230 7.999 7.0.0 PS C:\Users\Administrator> $vmhost = Get-VMHost PS C:\Users\Administrator> Export-Tpm2EndorsementKey -VMHost $vmhost -FilePath C:\vta\tpm2ek.json Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 12/3/2019 10:16 PM 2391 tpm2ek.json PS C:\Users\Administrator> Disconnect-VIServer -server * -Confirm:$false PS C:\Users\Administrator> Connect-VIServer -server 192.168.210.22 -User trustedadmin@vsphere.local -Password 'VMware1!' Name Port User ---- ---- ---- 192.168.210.22 443 VSPHERE.LOCAL\TrustedAdmin PS C:\Users\Administrator> Get-TrustAuthorityCluster Name State Id ---- ----- -- vTA Cluster Enabled TrustAuthorityCluster-domain-c8 PS C:\Users\Administrator> $vTA = Get-TrustAuthorityCluster ‘vTA Cluster’ PS C:\Users\Administrator> New-TrustAuthorityTpm2EndorsementKey -TrustAuthorityCluster $vTA -FilePath C:\vta\tpm2ek.json TrustAuthorityClusterId Name Health ----------------------- ---- ------ TrustAuthorityCluster-domain-c8 1a520e42-4db8-1cbb-6dd7-f493fd921ccb Ok
What to do next
Continue with Import the Trusted Host Information to the Trust Authority Cluster.