【vSphere | Python】vSphere Automation SDK for Python Ⅶ—— Certificate Management APIs(上)
目录
- 13.1 Machine SSL
-
- (1)Get vCenter TLS
- (2)Renew vCenter TLS
- 13.2 vCenter Signing Certificate APIs
-
- (1)Get vCenter Signing Certificate
- (2)Refresh vCenter Signing Certificate
- 参考资料
13.1 Machine SSL
TLS接口提供了替换Machine SSL证书的操作。
(1)Get vCenter TLS
关键方法:vcenter.certificate_management.vcenter.Tls.get()
方法说明:返回 rhttpproxy TLS 证书信息
参数说明:N/A
方法返回值:
authority_information_access_uri:权限信息访问URI的集合。cert:PEM 格式的 TLS 证书。extended_key_usage:扩展密钥使用的集合,其中包含证书可用于的详细信息。is_CA:判断是否为CA。issuer_dn:证书中的颁发者(issuer distinguished name)值。key_usage:证书中包含的密钥使用集合。path_length_constraint:来自关键 BasicConstraints 扩展的证书约束路径长度 (OID = 2.5.29.19)。serial_number:证书中的序列号。signature_algorithm:证书中的签名算法名称。subject_alternative_name:主题替代名称的集合。subject_dn:来自证书的主题(subject distinguished name)。thumbprint:证书中的指纹。valid_from:证书有效期的开始日期。valid_to:证书有效期的结束日期。version:证书中的版本(版本号)。
脚本:
import time
from vSphere_Automation_SDK.Connect_to_vCenter_Server import vsphere_client
start_time = time.time()
try:
get_cert = vsphere_client.vcenter.certificate_management.vcenter.Tls.get()
print("========================================")
print("Version:".ljust(40),get_cert.version,
"\nSerial Number:".ljust(36),get_cert.serial_number,
"\nSignature Algorithm:".ljust(34),get_cert.signature_algorithm,
"\nIssuer Dn:".ljust(39),get_cert.issuer_dn,
"\nValid From:".ljust(38),get_cert.valid_from,
"\nValid To:".ljust(40),get_cert.valid_to,
"\nSubject Dn:".ljust(38),get_cert.subject_dn,
"\nThumbprint:".ljust(38),get_cert.thumbprint,
"\nIs CA:".ljust(41),get_cert.is_ca,
"\nPath Length Constraint:".ljust(32),get_cert.path_length_constraint,
"\nKey Usage:".ljust(37),get_cert.key_usage,
"\nExtended Key Usage:".ljust(30), get_cert.extended_key_usage,
"\nSubject Alternative Name:".ljust(30), get_cert.subject_alternative_name,
"\nAuthority Information Access URI:".ljust(38), get_cert.authority_information_access_uri,
"\nCert:\n",get_cert.cert,
)
except Exception as err:
for i in err.messages:
id = i.id,
default_message = i.default_message
args = i.args
params = i.params
localized = i.localized
print("\033[1;31m Encountered an error, Please see the following information \033[0m",
"\n\tError Class:", id,
"\n\tMessage:", default_message,
"\n\tArgs:", args,
"\n\tParams:", params,
"\n\tLocalized:", localized,
"\nError Data:", err.data,
"\nError Type:", err.error_type
)
end_time = time.time()
run_time = end_time - start_time
print("========================================")
print("Used Time:".ljust(43), run_time)
脚本效果图:
(2)Renew vCenter TLS
关键方法:vcenter.certificate_management.vcenter.Tls.renew()
方法说明:在给定的持续时间内更新 TLS 证书。 此操作完成后,将重新启动使用该证书的服务以使新证书生效。
参数说明:N/A
方法返回值:返回新的证书值,该值可以通过Get vCenter TLS来查看详细信息。
脚本:
import time
from vSphere_Automation_SDK.Connect_to_vCenter_Server import vsphere_client
start_time = time.time()
try:
get_cert = vsphere_client.vcenter.certificate_management.vcenter.Tls.renew()
print("MACHINE SSL Certificate Renew Successfully\n"
"After this operation completes, the services using the certificate will be restarted for the new certificate to take effect. Service start-up may take 5-15min, please wait patiently" )
except Exception as err:
for i in err.messages:
id = i.id,
default_message = i.default_message
args = i.args
params = i.params
localized = i.localized
print("\033[1;31m Encountered an error, Please see the following information \033[0m",
"\n\tError Class:", id,
"\n\tMessage:", default_message,
"\n\tArgs:", args,
"\n\tParams:", params,
"\n\tLocalized:", localized,
"\nError Data:", err.data,
"\nError Type:", err.error_type
)
end_time = time.time()
run_time = end_time - start_time
print("Used Time:".ljust(43), run_time)
脚本效果图:
13.2 vCenter Signing Certificate APIs
SigningCertificate 接口提供了查看和管理 vCenter 签名证书的操作,这些证书用于签署和验证 vCenter 令牌服务颁发的令牌。版本控制与 vcenter 包相同。
(1)Get vCenter Signing Certificate
关键方法:vcenter.certificate_management.vcenter.SigningCertificate.get()
方法说明:查看STS证书信息,以验证 vCenter 颁发的令牌。
参数说明:N/A
方法返回值:默认返回 active cert chain 和 signing cert chains
active cert chain:vCenter 令牌服务主动使用的证书链来签署令牌。signing cert chains:用于验证 vCenter 颁发的令牌的签名证书链列表。该列表包含 X509 证书链,每个证书链都是有序的,并且包含完整信任链所需的叶证书、中间证书和根证书。叶证书位于链中的第一个,应该用于验证 vCenter 颁发的令牌。
脚本借用OpenSSL模块解析了PEM格式的证书信息。
脚本:
import OpenSSL
import time
from dateutil import parser
from vSphere_Automation_SDK.Connect_to_vCenter_Server import vsphere_client
start_time = time.time()
try:
sts = vsphere_client.vcenter.certificate_management.vcenter.SigningCertificate.get()
sts = sts.active_cert_chain.cert_chain[0]
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, sts)
certIssue = cert.get_issuer()
get_notBefore = parser.parse(cert.get_notBefore().decode("UTF-8"))
get_notAfter= parser.parse(cert.get_notAfter().decode("UTF-8"))
print("证书信息")
print("==============")
for i in cert.get_subject().get_components():
print("通用名称(CN):".ljust(20),i[1].decode("utf-8"))
print ("序列号:".ljust(27),hex(cert.get_serial_number()))
print ("颁发机构:".ljust(24),certIssue.commonName)
print ("签名算法:".ljust(24),cert.get_signature_algorithm().decode("UTF-8"))
print ("有效期自".ljust(24),get_notBefore.strftime('%Y-%m-%d %H:%M:%S'))
print ("有效期至".ljust(24),get_notAfter.strftime('%Y-%m-%d %H:%M:%S'))
print ("是否已经过期:".ljust(19),cert.has_expired())
print("公钥长度".ljust(24),cert.get_pubkey().bits())
print("公钥:\n" ,OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, cert.get_pubkey()).decode("utf-8"))
print("颁发者信息")
print("==============")
for item in certIssue.get_components():
if item[0].decode("utf-8") == 'CN':
print("通用名称(CN):".ljust(18), item[1].decode("utf-8"))
if item[0].decode("utf-8") == 'C':
print("国家(C):".ljust(26), item[1].decode("utf-8"))
if item[0].decode("utf-8") == 'ST':
print("州/省名(ST):".ljust(22), item[1].decode("utf-8"))
if item[0].decode("utf-8") == 'O':
print("组织(O):".ljust(26), item[1].decode("utf-8"))
if item[0].decode("utf-8") == 'OU':
print("部门(OU):".ljust(24), item[1].decode("utf-8"))
print ("版本:".ljust(28),cert.get_version() + 1)
print("证书扩展数:".ljust(19),cert.get_extension_count())
for i in range(cert.get_extension_count()):
# print(i+1)
if i == 0:
print("密钥用法:".ljust(35),cert.get_extension(i))
if i == 1:
print("Subject Alternative Name:".ljust(32),cert.get_extension(i))
if i == 2:
print("证书使用者秘钥标识符:".ljust(17),cert.get_extension(i))
if i == 3:
print("颁发机构秘钥标识符:".ljust(20),cert.get_extension(i))
if i == 4:
print("CA URL:".ljust(39),cert.get_extension(i))
except Exception as err:
for i in err.messages:
id = i.id,
default_message = i.default_message
args = i.args
params = i.params
localized = i.localized
print("\033[1;31m Encountered an error, Please see the following information \033[0m",
"\n\tError Class:", id,
"\n\tMessage:", default_message,
"\n\tArgs:", args,
"\n\tParams:", params,
"\n\tLocalized:", localized,
"\nError Data:", err.data,
"\nError Type:", err.error_type
)
end_time = time.time()
run_time = end_time - start_time
print("Used Time:".ljust(43), run_time)
脚本效果图:
(2)Refresh vCenter Signing Certificate
关键方法:certificate_management.vcenter.SigningCertificate.refresh(force=True)
方法说明:刷新 vCenter 签名证书链。新的签名证书将根据 vCenter CA 策略签发,并设置为 vCenter 标记服务的活动签名证书。该证书将立即用于签署由 vCenter 令牌服务签发的令牌。
参数说明:force:是否强制刷新STS证书,一般来说设置为True,否则刷新STS动作操作会失败。
方法返回值:返回新的cert_chain,该值可以通过Get vCenter Signing Certificate来查看详细信息。
脚本:
'''
该脚本可以强制刷新STS证书
'''
import time
from vSphere_Automation_SDK.Connect_to_vCenter_Server import vsphere_client
start_time = time.time()
try:
refreshsts = vsphere_client.vcenter.certificate_management.vcenter.SigningCertificate.refresh(force=True)
print("vCenter Signing Certificate Renew Successfully\n"
"Note: vCenter Server services do not restart")
print("Active Cert Chain:\n", refreshsts.cert_chain[0],
"\nSigning Cert Chains:\n", refreshsts.cert_chain[1],
)
except Exception as err:
for i in err.messages:
id = i.id,
default_message = i.default_message
args = i.args
params = i.params
localized = i.localized
print("\033[1;31m Encountered an error, Please see the following information \033[0m",
"\n\tError Class:", id,
"\n\tMessage:", default_message,
"\n\tArgs:", args,
"\n\tParams:", params,
"\n\tLocalized:", localized,
"\nError Data:", err.data,
"\nError Type:", err.error_type
)
end_time = time.time()
run_time = end_time - start_time
print("Used Time:".ljust(43), run_time)
脚本效果图:
参考资料
vCenter REST APIs v7.0U3
vSphere-Python-Automation-Scripts/v1/Certificate-Management
关于本专栏其它博文,请关注专栏,会有更多关于vSphere Python自动化的内容:vSphere python自动化