Posted on July 27, 2016 · Posted in VMWare

Removing VMWare vCenter Self-Signed Certificate Warning

When connecting to a VMWare vCenter server using a web-browser, there appears a warning of self-signed certificate issued by an untrusted certification authority. In Firefox, this warning can be disabled just by adding a vCenter website to the list of exceptions, but in Internet Explorer the procedure is more complicated.

SSL certificates installed by default with ESXi and vCenter servers are self-signed, so other systems do not trust them and show a warning or block the connection with these websites. To disable the warning of a self-signed certificate, you can add the self-signed certificate it the list of trusted certificates or replace the certificate with your own one issued by a trusted certification authority. We’ll consider the first variant, the procedure is trivial, but there are some not quite obvious moments.

So when opening a vCenter server webpage in the browser, a window with the following warning appears:

There is a problem with this website’s security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website’s address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

The security certificate presented by this website was not issued by a trusted certificate authority.

Note. The warning The security certificate presented by this website was issued for a different website’s address is shown since in our case the host name is different from the CN name, for which the certificate is issued. In order this warning is not shown, in the browser you have to open the FQDN server name, for which the certificate is issued. By the way, to make it more convenient you can replace this certificate for your own one created using New-SelfSignedCertificate cmdlet, which allows to issue a certificate for any set of CN.

Having clicked Continue to this website link (not recommended), you can go to vCenter getting started page. To download the certificate, click Download trusted root CA certificates.

vCenter Download trusted root CA certificates

Save the file to any directory. The name of the file is download (with no extension).

vmware download file

Then change the extension of download to and extract it with the built-in archiver  (Extract All).

extract certificate archive

The cert archive contains 2 files with the extensions .0 and .r0. Change the file extension .0 to .cer.

vsphere certificate file

Now you only have to add this root CA certificate to the list of trusted certificates. Suppose, we want this certificate to be trusted only with the current account. Open certmgr.msc console, go to Certificates > Trusted Root Certification Authorities and open the certificate import wizard (Import) in the context menu.

import certificate using certmgr console

certificate import wizard

Select the certificate file obtained earlier and place it to the Trusted Root Certification Authorities store.

 Trusted Root Certification Authorities

Submit adding the certificate.

security warning

A new certificate with the name CA appears in the list.

certificate ca

Open the vCenter webpage in the browser again. The warning won’t appear.

vsphere login page

Note. If you need to expand this certificate to domain computers, you can use the group policy features (How to Install a Certificate on Domain Computers Using GPO)

These guidelines are applicable to vCenter Server Appliance, if you are using Windows vCenter Server, you won’t be able to download the certificate file, since there will be no link to download the archive with the certificate. This file is stored on vCenter Server (running Windows) in C:\ProgramData\VMware\SSL\. (C:\Programdata\VMware\VMware VirtualCenter\SSL in earlier versions.) The certificate from this directory has to be imported on a client in the same way.

Related Articles