VMware Cloud Community
trailhawk
Contributor
Contributor
‎12-21-2022 10:02 AM

Collect Information About ESXi Hosts and vCenter Server to Be Trusted

I'm trying to export the TPM cert as outlined in this article LINK

when I run: Export-Tpm2CACertificate -Tpm2EndorsementKey $tpm2 -FilePath C:\TPM_Keys\ 

I receive the following error. 

 

Export-Tpm2CACertificate : 12/21/2022 12:17:56 PM       Export-Tpm2CACertificate                Invalid X509Certificate2
provided, its CA issuer file couldnot be downloaded.
At line:1 char:1
+ Export-Tpm2CACertificate -Tpm2EndorsementKey $tpm2 -FilePath C:\Users ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Export-Tpm2CACertificate], VimException
    + FullyQualifiedErrorId : Security_WorkloadVMHostSettingServiceImpl_GetCACertificate_CertificateIssue,VM
   ware.VimAutomation.Security.Commands.Cmdlets.TrustedInfrastructure.ExportTpm2CACertificate

 

I'm at a loss right now on how to proceed. 

Reply
0 Kudos
10 Replies
LucD
Leadership
Leadership
‎12-21-2022 10:09 AM

Did you check what is in the $tmp2 variable (the object returned by Get-Tpm2EndorsementKey)?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
trailhawk
Contributor
Contributor
‎12-21-2022 10:32 AM

 

Get-Tpm2EndorsementKey -VMHost $vmhost

VMHostId                       PublicKey                                Certificate
--------                       ---------                                -----------
HostSystem-ha-host             -----BEGIN PUBLIC KEY-----...            [Subject]...

 

then I ran 

$tpm2 = Get-Tpm2EndorsementKey -VMHost $vmhost

but when I run 

Export-Tpm2CACertificate -Tpm2EndorsementKey $tpm2 -FilePath C:\drop

I receive error listed above 

 

Reply
0 Kudos
LucD
Leadership
Leadership
‎12-21-2022 10:34 AM

The error seems to indicate that CA issuer file can not be downloaded.
Is that an internal CA or an external CA?
Do you have Internet access at the station where you run the cmdlet?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
trailhawk
Contributor
Contributor
‎12-21-2022 10:39 AM

the esxi servers do not have internet access but the machine that I'm running the commands from does have internet access. But I am jumping through a proxy. 

Reply
0 Kudos
LucD
Leadership
Leadership
‎12-21-2022 11:23 AM

There is another thread around the same issue, see Can't export TPMCA certificate - VMware Technology Network VMTN
Which account are you using?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LucD
Leadership
Leadership
‎12-21-2022 11:25 AM

The documentation specifies you need to use an account that is a  trust_admin_user


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
trailhawk
Contributor
Contributor
‎12-22-2022 04:06 AM

I read through that post - It calls out connecting to -server "esxi host" I'm logging with root via powershell. Root is part of the administrator group and has the trustedadmin box checked. 

Reply
0 Kudos
LucD
Leadership
Leadership
‎12-22-2022 04:10 AM

Then you better open an SR I'm afraid.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
trailhawk
Contributor
Contributor
‎12-22-2022 04:57 AM

thanks for the help - Merry Christmas to you and yours. 

 

Reply
0 Kudos
LucD
Leadership
Leadership
‎12-22-2022 06:29 AM

Thanks.
Best wishes to you and your loved ones.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos