Resolving SSL Certificate Trust Errors When Running PowerShell Scripts for vLCM Transition via SDDC Manager

search cancel

Resolving SSL Certificate Trust Errors When Running PowerShell Scripts for vLCM Transition via SDDC Manager

book

Article ID: 408232

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

When executing PowerShell scripts for transitioning to vSphere Lifecycle Manager (vLCM) Images using SDDC Manager, you may encounter an SSL connection error:

Error Message:
[ERROR] SSL Connection error to SDDC Manager "<sddc_manager_fqdn>".
Please check that SDDC Manager has a CA signed certificate or Powershell trusts insecure certificates.

This typically occurs when PowerShell attempts to connect to SDDC Manager but does not trust the SSL certificate in use.

Environment

VMware Cloud Foundation 9.0
PowerShell / PowerCLI executed against SDDC Manager

Cause

By default, SDDC Manager is deployed with a self-signed SSL certificate.

PowerShell (and PowerCLI) do not trust self-signed or unverified certificates.
If the certificate has not been replaced with a CA-signed certificate, the connection is rejected, and the error is displayed.

Resolution

You can resolve this issue by either installing a CA-signed certificate (recommended) or importing the existing SDDC Manager certificate into your workstation’s trusted certificate store.

Option 1 — Install a CA-Signed Certificate (Recommended)

Replacing the self-signed certificate with a CA-signed certificate ensures secure communication and eliminates trust issues for all future PowerShell and API operations.

Follow the official VMware documentation to replace SDDC Manager certificates:
Certificate Management in VMware Cloud Foundation 9.0

Option 2 — Import SDDC Manager Certificate into Trusted Root Authorities

If using a CA-signed certificate is not immediately possible, you can manually trust the existing certificate on your workstation.

Step 1: Export the Certificate

If VMCA is used, export the VMCA root certificate from the vCenter Server Appliance: /var/lib/vmware/vmca/root.cer
Save the root.cer file to the workstation where the PowerShell script is executed.

Step 2: Import into Windows Trusted Root Store

On the workstation, run mmc.exe.
Add the Certificates snap-in for Local Computer.
Navigate to: Trusted Root Certification Authorities → Certificates
Right-click → Import → select the root.cer file.

Step 3: Restart PowerShell

Close and relaunch PowerShell.
Re-run the script.

Additional Information

Using a CA-signed certificate is strongly advised for production environments to ensure security and compliance.
For temporary testing, certificate validation can be bypassed in PowerShell by disabling SSL checks, but this is not recommended in production due to security risks.
Related resources:
- Transition to vLCM Images Using SDDC Manager
- Certificate Management in VCF 9.0

Feedback

thumb_up Yes

thumb_down No