How to import the certificates used in a VMware Cloud Foundation environment to a client system
search cancel

How to import the certificates used in a VMware Cloud Foundation environment to a client system

book

Article ID: 316767

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

After deploying VMware Cloud Foundation 2.2 or greater, a certificate warning is presented when accessing the SDDC Manager UI or the vSphere Web Client. The warning will state ERR_CERT_AUTHORITY_INVALID. This warning is generated because the certificates used in the VMware Cloud Foundation environment are not trusted by the client system. This article provides instructions to import the certificates used in the VMware Cloud Foundation environment to the client system from which the SDDC Manager UI or vSphere Web Client is accessed.

Resolution

  1. SSH to the SDDC Manager Controller virtual machine as the root user.
  2. Issue commands similar to the following to export the certificates:
/usr/lib/vmware-vmca/bin/certool --getrootca --cert=PSC-CA-1.cer --server <psc-1 IP address> --srp-upn [email protected]  --srp-pwd <[email protected] password>
/usr/lib/vmware-vmca/bin/certool --getrootca --cert=PSC-CA-2.cer --server <psc-2 IP address> --srp-upn [email protected]  --srp-pwd <[email protected] password>

Notes:
  • Replace <psc-1 IP address> and <psc-2 IP address> with the IP addresses for the psc-1 and psc-2 virtual machines. These can be obtained from the Summary tab for each virtual machine in the vSphere Web Client.
  • Obtain the password for the [email protected] account by running the /home/vrack/bin/lookup-passwords command on the SDDC Manager Controller virtual machine.
  • You will see output similar to the following from the preceding certool commands:
Certificate written to file : PSC-CA-1.cer
Status : Success
  1. Use a file transfer utility to copy the PSC-CA-1.cer and PSC-CA-2.cer files from /root on the SDDC Manager Controller virtual machine to the client system.
  2. On the client system, click the Start menu and type MMC. Click on mmc.exe.
  3. Click on the File menu and choose Add/Remove Snap-in.
  4. Select Certificates from the Available snap-ins list and click the Add button. Select Computer account and click the Next button in the Certificates snap-in window. Click the Finish button in the Select Computer window. Click the OK button.
  5. Expand the Certificates folder and then expand the Trusted Root Certification Authorities folder.
  6. Right click the Certificates folder under the Trusted Root Certification Authorities folder, select All Tasks and then select Import.
  7. Click the Next button on the Welcome screen in the Certificate Import Wizard window.
  8. Click the Browse button and select the PSC-CA-1.cer file that was copied in Step 3. Click the Open button.
  9. Click the Next button, click the Next button, click the Finish button.
  10. Repeat Steps 8-11 but select the PSC-CA-2.cer file.
Note: Test the results of this procedure by accessing the SDDC Manager UI or the vSphere Web Client. There should be no certificate warning presented.

Powered by Wolken Software