Download and install vCenter Server root certificates to avoid web browser certificate warnings
search cancel

Download and install vCenter Server root certificates to avoid web browser certificate warnings

book

Article ID: 330833

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

When using the vSphere Client to connect to a vCenter Server system, the web browser displays a message similar to:

  • There is a problem with this website's security certificate
  • The connection is not private
  • This connection is untrusted
  • ERR_CERT_AUTHORITY_INVALID
  • NET:ERR_CERT_AUTHORITY_INVALID

Note: If the above error messages are present with vCloud Director, refer to Repairing a VMware Cloud Director Appliance that was re-initialized.

You may also experience file download failures when attempting to download files from ESXi hosts through either the vCenter interface or the host UI directly. This behavior typically affects multiple browsers simultaneously.

This issue can occur when first accessing vCenter from a new workstation, after vCenter Server certificate renewal or regeneration, following a vCenter upgrade, or when using a browser with its own certificate store (such as Firefox) that hasn't had certificates imported separately.

The precise message depends on the web browser.

Additional symptoms reported:

  • Unable to download files from ESXi hosts using vCenter or host interface directly
  • Suspected port blocking or unknown failure point preventing downloads

Environment

VMware vSphere ESXi
VMware vCenter Server

Cause

 

The vCenter Server and ESXi host root CA certificates are not present in the workstation's Trusted Root Certificate Authorities store. When these certificates are not trusted, browsers may allow page viewing but block certain operations such as file downloads as a security measure.

This issue can reappear after vCenter Server or ESXi SSL certificate renewal, certificate regeneration, or upgrades that result in new certificates being issued. When certificates are updated on the server side, the previously imported root CA certificates on your workstation may no longer match or validate the new certificate chain. In these cases, you will need to download and install the updated root certificates again by following the resolution steps below.

Resolution

This issue can be resolved depending on the environment, on whether the VMCA is an intermediate certificate, and on whether the web browser uses the operating system certificate store (Internet Explorer, Chrome) or manages its own certificate store (Firefox).

Note: It is recommended to connect to the vCenter Server FQDN on environments with External Platform Services Controllers, as the option to "Download trusted root CA certificates" is only available on vCenter Server Appliance URL (whether it is Embedded PSC or Management Node).

Certificate Download in Small Deployments

This procedure is for environments that have the following characteristics:
  • A web browser that uses the operating certificate store on Windows (such as Internet Explorer or Google Chrome)
  • A small deployment with one or two client machines that connect to a vCenter Server installation
  • Use of default certificates or custom certificates

Download the VMware Certificate Authority (VMCA) root and leaf certificates and then add them to the operating system root store of the machine attempting to connect to the vCenter Server system. Refer to the Additional Information section in this KB for screenshots.

  1. From a client system web browser, go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending port numbers or 'vsphere-client' extension.

    For example:
    https://vcenter.domain.com/

    Note:
    • Direct URL to download the Certificate is https://vCenter_FQDN/certs/download.zip
      • Example - https://vcenter.domain.com/certs/download.zip.
    • From Linux machines, wget command can be used to download the Certificates
      • Example - "wget https://vcenter.domain.com/certs/download.zip"
         
  2. Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.
  3. Change the extension of the file to .zip.
    The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  4. Extract the contents of the ZIP file.
    The result is a .certs folder that contains two types of files.
    • Files with a number as the extension (.0, .1, and so on) are root certificates.
    • Files with an extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate.
  5. Install the certificate files as trusted certificates by following the process that is appropriate for the operating system. 

Firefox has its own trusted roots store and does not use the operating system store. If working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.

Active Directory Group Policy Update in Deployments with VMCA as an Intermediate Certificate Authority

This procedure is for environments that have the following characteristics:

  • A web browser that uses the operating certificate store on Windows (such as Internet Explorer and Google Chrome)
  • The vCenter Server system is accessed from several different machines
  • VMCA is set up to be an intermediate CA

Import the root certificate into the group policy of the Active Directory environment to make the certificates trusted in the Active Directory domain. After the certificates are trusted, the browser error no longer appears on any machine that is part of the Active Directory domain.

  1. From a client system web browser, go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending port numbers or 'vsphere-client' extension.

    For example:
    https://vcenter.domain.com/

    Note:
    • Direct URL to download the Certificate is https://vCenter_FQDN/certs/download.zip
      • Example - https://vcenter.domain.com/certs/download.zip
    • From Linux machines, wget command can be used to download the Certificates
      • Example - "wget https://vcenter.domain.com/certs/download.zip"
         
  2. Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.
  3. Change the extension of the file to .zip.
    The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  4. Extract the ZIP file.
    The result is a .certs folder that contains two types of files.
    • Files with a number extension (.0, .1, and so on) are root certificates. Change the extension to .crt.
    • Files with a extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate. Change the extension to .crl.
  5. Open the Active Directory Group Policy Management Editor.
  6. Open Public Key Policies and select Intermediate Certification Authorities.
  7. Add the certificate file or files that was downloaded.
  8. From the Windows command prompt, run gpupdate /force to force an update.

Firefox has its own trusted roots store and does not use the operating system store. If working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.

Active Directory Group Policy Update in Deployments with Custom Certificates or VMCA-Signed Certificates

This procedure is for environments that have the following characteristics:

  • A web browser that uses the operating certificate store on Windows (such as Internet Explorer and Google Chrome)
  • The vCenter Server system is accessed from several different machines
  • A root certificate from a CA that is not trusted in the environment. That CA can be VMCA or a different CA that is not trusted.

Import the root certificate into the group policy of the Active Directory environment to make the certificates trusted in the Active Directory domain. After the certificates are trusted, the browser error no longer appears on any machine that is part of the Active Directory domain.

  1. From a client system web browser, go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending port numbers or 'vsphere-client' extension.

    For example:
    https://vcenter.domain.com/

    Note:
    • Direct URL to download the Certificate is https://vCenter_FQDN/certs/download.zip
      • Example - https://vcenter.domain.com/certs/download.zip
    • From Linux machines, wget command can be used to download the Certificates
      • Example - "wget https://vcenter.domain.com/certs/download.zip"
         
  2. Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.
  3. Change the extension of the file to .zip.
    The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  4. Extract the contents of the ZIP file.
    The result is a .certs folder that contains two types of files.
    • Files with a number extension (.0, .1, and so on) are root certificates. Change the extension to .crt.
    • Files with a extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate. Change the extension to .crl.
  5. Open the Active Directory Group Policy Management Editor.
  6. Open Public Key Policies and select Trusted Root Certificate Authorities.
  7. Add the certificate file or files that was downloaded.
  8. From the Windows command prompt, run gpupdate /force to force an update.

Firefox has its own trusted roots store and does not use the operating system store. If working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ

The following example shows the steps to download the root certificates and then add them to the operating system root store of the machine attempting to connect the vCenter Server system.
 

  • From a client system web browser, go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending port numbers or 'vsphere-client' extension
     
  • Right-click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file using Save Link as and enter a path to save the file (optionally, download the file by Clicking the download link). 
  • Downloaded file Download.zip is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  • Extract the contents of the ZIP file. The result is a certs folder that contains two types of files.
    • Files with a number as the extension (.0.1, and so on) are root certificates.
    • Files with an extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate.
  • Install the certificate files as trusted certificates by following the process that is appropriate for the operating system. The following is an example:
    • Click Start, click Start Search, type mmc, and then press ENTER
    • On the File menu, click Add/Remove Snap-in 
    • Select Certificates,and then click Add
    • Select Computer Account -> Click Next -> Select Local Computer -> Click on Finish -> Click OK
    • Select Certificates under Trusted Root Certification Authorities and Right Click -> Select All Tasks -> Click Import
    • Click Next
    • Enter the path of downloaded Certificate and Click Next
    • Select the Certificate Store and Click Next (proceed with the default selection)
    • Verify the details and Click Finish
    • If successful, the following message appears. Repeat the same for each Trusted Certificate.
 
 
 

The following screenshot shows an example to directly download the Certificates using "wget" (VCSA is used in this example):

Powered by Wolken Software