In SDDC manager, attempts to configure a proxy server in SDDC Manager fail with a validation error. The system cannot establish a secure connection because the certificate presented during the handshake is not trusted.

Error message: Can't validate proxy configuration: Error establish SSL/TLS connection to proxy. Invalid proxy SSL certificate.

Verification error: num=19:self-signed certificate in certificate chain.

SDDC Manager

The network environment is utilizing SSL Inspection. Firewall intercepts the encrypted traffic and presents its own self-signed CA certificate to the SDDC Manager. Since the SDDC Manager trust store does not contain the firewall's Root CA, the connection is terminated to prevent a suspected Man-in-the-Middle (MitM) attack.

To resolve this issue, the SDDC Manager must be able to verify the certificate chain for Broadcom depots. Use one of the following methods:

Method 1: SSL Inspection Bypass
Work with your Network Security team to create an SSL Inspection bypass (whitelist) domain *dl.broadcom.com on the firewall/proxy:

This allows the SDDC Manager to receive the original, globally trusted certificates directly from the source.

Method 2: Import Firewall CA to SDDC Manager Trust Store
If SSL Inspection is mandatory, you must add the firewall’s Root CA certificate to the SDDC Manager's trusted authorities:

Obtain the Root CA certificate from your Network Administrator.

Follow the steps in the kb to add the certificate to the SDDC Manager trust store: https://knowledge.broadcom.com/external/article?articleNumber=316056 

Validation Command: To verify if SSL inspection is active, run:
openssl s_client -proxy <PROXY_IP>:<PORT> -connect depot.vmware.com:443