Search the VMware Knowledge Base (KB)
View by Article ID

How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294)

  • 89 Ratings
Language Editions

Details

When you use the vSphere Web Client to connect to a vCenter Server system, your Web browser displays a message similar to:
  • There is a problem with this website's security certificate
  • The connection is not private
  • This connection is untrusted
  • ERR_CERT_AUTHORITY_INVALID
  • NET:ERR_CERT_AUTHORITY_INVALID
The precise message depends on your Web browser. To resolve this issue, you have to download the root certificates from the vCenter Server that you are targeting and install it on the machine on which you are running the browser that accesses the vSphere Web Client.

Solution

How you resolve this issue depends on the environment at your site, on whether VMCA is an intermediate certificate, and on whether your Web browser uses the operating system certificate store (Internet Explorer, Chrome) or manages its own certificate store (Firefox).

Certificate Download in Small Deployments

This procedure is for you if your environment has these characteristics:
  • A Web browser that uses the operating certificate store on Windows (such as Internet Explorer or Google Chrome).
  • A small deployment with one or two client machines that connect to a vCenter Server installation.
  • Use of default certificates or custom certificates.

You can download the VMware Certificate Authority (VMCA) root and leaf certificates and then add them to the operating system root store of the system from which you are connecting to the vCenter Server system.

  1. From a client system Web browser, go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending port numbers or 'vsphere-client' extension.

    For example:
    https://vcenter.domain.com/

  2. Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.
  3. Change the extension of the file to .zip.
    The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  4. Extract the contents of the  ZIP file.
    The result is a .certs folder that contains two types of files. Files with a number as the extension (.0, .1, and so on) are root certificates. Files with an extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate.
  5. Install the certificate files as trusted certificates by following the process that is appropriate for your operating system.
    For most Microsoft Windows systems, you can follow the instructions at https://technet.microsoft.com/en-us/library/cc754841.aspx

Firefox has its own trusted roots store and does not use the operating system store. If you are working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.

Active Directory Group Policy Update in Deployments with VMCA as an Intermediate Certificate Authority

This procedure is for you if your environment has these characteristics:

  • A Web browser that uses the operating certificate store on Windows (such as Internet Explorer and Google Chrome)
  • The vCenter Server system is accessed from several different machines,
  • VMCA is set up to be an intermediate CA.

You can import the root certificate into the group policy of your Active Directory environment to make the certificates trusted in your Active Directory domain. After the certificates are trusted, the browser error no longer appears on any machine that is part of the Active Directory domain.

  1. From a client system Web browser, go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending port numbers or 'vsphere-client' extension.

    For example:
    https://vcenter.domain.com/

  2. Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.
  3. Change the extension of the file to .zip.
    The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS)
  4. Extract the ZIP file.
    The result is a .certs folder that contains two types of files. Files with a number extension (.0, .1, and so on) are root certificates. Change the extension to .crt. Files with a extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate. Change the extension to .crl.
  5. Open the Active Directory Group Policy Management Editor.
  6. Open Public Key Policies and select Intermediate Certification Authorities.
  7. Add the certificate file or files that you downloaded.
  8. From you Windows command prompt, run gpupdate /force to force an update.

Firefox has its own trusted roots store and does not use the operating system store. If you are working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.

Active Directory Group Policy Update in Deployments with Custom Certificates or VMCA-Signed Certificates

This procedure is for you if your environment has these characteristics:

  • A Web browser that uses the operating certificate store on Windows (such as Internet Explorer and Google Chrome).
  • The vCenter Server system is accessed from several different machines.
  • You use a root certificate from a CA that is not trusted in your environment. That CA can be VMCA or a different CA that is not trusted.
You can import the root certificate into the group policy of your Active Directory environment to make the certificates trusted in your Active Directory domain. After you do that, the browser error no longer shows up on any machine that is part of the Active Directory domain.
  1. From a client system Web browser, go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending port numbers or 'vsphere-client' extension.

    For example:
    https://vcenter.domain.com/

  2. Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.
  3. Change the extension of the file to .zip.
    The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  4. Extract the contents of the  ZIP file.
    The result is a .certs folder that contains two types of files. Files with a number extension (.0, .1, and so on) are root certificates. Change the extension to .crt.  Files with a extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate. Change the extension to .crl.
  5. Open the Active Directory Group Policy Management Editor.
  6. Open Public Key Policies and select Trusted Root Certificate Authorities.
  7. Add the certificate file or files that you downloaded.
  8. From you Windows command prompt, run gpupdate /force to force an update.

Firefox has its own trusted roots store and does not use the operating system store. If you are working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 89 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 89 Ratings
Actions
KB: