In this quick article we’ll explore the steps on how to enable the Trusted Root CA Certificate to establish a secure and verified connection with VMware vCenter using a Web Browser.
The process is very simple and it is just a matter of using the built-in certificate into our home lab environment or at least from the computer we are using to start the VMware Web Client.
Generally speaking what might happen is browser we are using (Mozilla Firefox in this case) is showing the connection to the VMware vCenter website as not secure. This is because during the deployment of VMware vCenter platform the installer will create a self-signed certificate to encrypt all sessions before leaving the built-in VMware vSphere Web Server.
Now this self-signed certificate is not validated against any public Certification Authority hence the message from the web browser warning about the security level of this connection.
How can we solve this? Simple. Either we purchase a valid SSL certificate we can use in our home lab (they are not so expensive these days) and re-configure vCenter SSO or simply trust our own generated SSL certificate during VMware vCenter Server installation and import it on the client we use to connect to the vCenter website.
In this article we’ll use Mozilla Firefox but the same steps pretty much apply to other web browsers as well.
So let’s take a look on how to install a Trusted Root CA Certificate for vCenter Server.
How to install VMware vCenter Trusted Root CA Certificate
One of the symptoms we usually get right after the installation of VMware vCenter is the message from the web browser (Firefox in this example) warning us about an insecure connection to the vCenter server. In a nutshell the web connection is encrypted with a certificate but the web browser cannot verify such certificate against a public Certification Authority hence the warning.
The reason is of course that such certificate is self-generated during the vCenter deployment. What we can do is to import such certificate into our environment or simply into the computer we use to connect to the vCenter Server.
From the right menu on the first page let’s download the Trusted Root CA Certificate. Let’s open this file with an utility like 7zip or similar. Inside this file we can usually find 2 certificates named “*.0” and “*.r1”.
These are respectively the private certificate part and it’s revocation. Next step is to rename the first one ending with “.0” in “.cer”.
Next from the command line let’s fire the Management console with:
From Menu File > Add/Remove SnapIn we can select the one for Certificates.
From this menu let’s go for the Computer option as per screenshot below.
And in this case we’ll go for the Local computer. What’s interesting (from a general point of view) is for large deployments it is also possible to distribute Certificates also through Group Policies making sure only intended computers in the domain get the right Certificates.
From this view let’s do a right click to start the wizard and import the certificate.
A new wizard starts and let’s click on next to continue.
From the wizard let’s point to the certificate file.
Either option is basically fine in this case.
Now the wizard is showing the main details before committing the changes.
In a few seconds we now have the tree showing a new subfolder with our Trusted Root CA Certificate. With a double click we can also review the properties like Issuer, validity dates and more.
So if we start the web browser from the computer where we imported the certificate we are pretty much done. In the case of Firefox web browser there is an extra step.
In fact by default does not accept “Enterprise Certificates” by default. So what we can do it is simply to change this policy from the advanced configuration. As per screenshot below let’s go into:
Let’s find for “security.enterprise_roots.enabled” and change the value to “True”. The change will be effective immediately.
At this point if we try to open the vCenter main page now the connection shows as secure with a green lock.
As an additional note when accessing the vCenter console from a Windows machine we can simply double click on the certificate file to start the import wizard. I’d rather use the other method also to take a quick look at the other certificates and replace them when expired.