• Post replacing the MACHINE_SSL certificate of the vCenter when you try to connect to vCenter using VMware PowerCLI, you may get a certificate-related error. 
• Connect-VIServer : M/DD/YYYY 10:00:00 AM        Connect-VIServer                Error: Invalid server certificate.
  Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect
  once or to add a permanent exception for this server.
  Additional Information: Could not establish secure channel for SSL/TLS with authority '10.1x.2x.3x'.
  At D:\VCenterHealthChckReport\Vcenter-FQDN.local:82 char:2
  +     Connect-VIServer $vCenter -User [email protected] -Pass ...
  +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException
      + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.

vCenter Server 7.x
vCenter Server 8.x

The previous connection saved in Vmware Powercli for the vCenter would have saved the old thumbprint from the old certificate used in MACHINE_SSL.

Once the certificate is replaced a thumbprint from the certificates needs to saved and trusted.

1. Re-enable SSL Certificate Validation: After you’ve connected and accepted the new thumbprint, you might want to re-enable SSL certificate validation. Use this command to reset the configuration:

   powershell

    

   Set-PowerCLIConfiguration -InvalidCertificateAction Prompt -Confirm:$false

By following these steps, you will have accepted the new thumbprint and ensured your PowerCLI session is configured to handle SSL certificates properly.


Option 2 

To reconnect to a vCenter Server using PowerCLI and accept the thumbprint, you can use the following approach:

1. Disconnect from vCenter (if connected):

    

   Disconnect-VIServer -Server <vCenterServer> -Confirm:$false

2. Reconnect to vCenter and handle the thumbprint:

   Use the Connect-VIServer cmdlet. If the thumbprint of the vCenter Server's SSL certificate has changed or is not trusted, you'll need to accept it manually. PowerCLI will prompt you to accept the thumbprint if it's not already trusted.

    

   $server = "<vCenterServer>"
$username = "<Username>"
$password = "<Password>"

Connect-VIServer -Server $server -User $username -Password $password -Force

   When you run this command, if the thumbprint is not trusted or has changed, PowerCLI will prompt you to accept the new thumbprint. You’ll need to respond to this prompt interactively.

Note: For automated scripts where interactive thumbprint acceptance isn’t possible, you might need to handle thumbprint validation and acceptance programmatically. This usually involves fetching the thumbprint and pre-accepting it using a script, but handling thumbprint acceptance interactively is the most common method.

If you are automating and want to handle thumbprints without prompts, ensure your environment is set up to manage and trust certificates properly, perhaps using an internal certificate authority (CA) or configuring certificate thumbprints manually in your PowerCLI scripts.

Example of accepting thumbprint manually:

Note: Make sure to replace <vCenterServer>, <Username>, and <Password> with your actual vCenter server address and credentials.