Enable vCenter Trusted Root CA Certificate for Web Browsers

In this quick article we’ll explore the steps on how to enable the Trusted Root CA Certificate to establish a secure and verified connection with VMware vCenter using a Web Browser.

The process is very simple and it is just a matter of using the built-in certificate into our home lab environment or at least from the computer we are using to start the VMware Web Client.

Generally speaking what might happen is browser we are using (Mozilla Firefox in this case) is showing the connection to the VMware vCenter website as not secure. This is because during the deployment of VMware vCenter platform the installer will create a self-signed certificate to encrypt all sessions before leaving the built-in VMware vSphere Web Server.

Now this self-signed certificate is not validated against any public Certification Authority hence the message from the web browser warning about the security level of this connection.

How can we solve this? Simple. Either we purchase a valid SSL certificate we can use in our home lab (they are not so expensive these days) and re-configure vCenter SSO or simply trust our own generated SSL certificate during VMware vCenter Server installation and import it on the client we use to connect to the vCenter website.

In this article we’ll use Mozilla Firefox but the same steps pretty much apply to other web browsers as well.

So let’s take a look on how to install a Trusted Root CA Certificate for vCenter Server.


How to install VMware vCenter Trusted Root CA Certificate

One of the symptoms we usually get right after the installation of VMware vCenter is the message from the web browser (Firefox in this example) warning us about an insecure connection to the vCenter server. In a nutshell the web connection is encrypted with a certificate but the web browser cannot verify such certificate against a public Certification Authority hence the warning.

The reason is of course that such certificate is self-generated during the vCenter deployment. What we can do is to import such certificate into our environment or simply into the computer we use to connect to the vCenter Server.

From the right menu on the first page let’s download the Trusted Root CA Certificate. Let’s open this file with an utility like 7zip or similar. Inside this file we can usually find 2 certificates named “*.0” and “*.r1”.

These are respectively the private certificate part and it’s revocation. Next step is to rename the first one ending with “.0” in “.cer”. Trusted Root CA Certificate connection not secure

Next from the command line let’s fire the Management console with:

“mmc.exe” Trusted Root CA Certificate mmc.exe

From Menu File > Add/Remove SnapIn we can select the one for Certificates. Trusted Root CA Certificate mmc snap-in

From this menu let’s go for the Computer option as per screenshot below. Trusted Root CA Certificate mmc computer account

And in this case we’ll go for the Local computer. What’s interesting (from a general point of view) is for large deployments it is also possible to distribute Certificates also through Group Policies making sure only intended computers in the domain get the right Certificates. Trusted Root CA Certificate mmc local computer

From this view let’s do a right click to start the wizard and import the certificate. Trusted Root CA Certificate mmc import

A new wizard starts and let’s click on next to continue. Trusted Root CA Certificate import wizard

From the wizard let’s point to the certificate file. Trusted Root CA Certificate wizard select

Either option is basically fine in this case. Trusted Root CA Certificate wizard placement

Now the wizard is showing the main details before committing the changes. Trusted Root CA Certificate wizard complete

In a few seconds we now have the tree showing a new subfolder with our Trusted Root CA Certificate. With a double click we can also review the properties like Issuer, validity dates and more. Trusted Root CA Certificate properties

So if we start the web browser from the computer where we imported the certificate we are pretty much done. In the case of Firefox web browser there is an extra step.

In fact by default does not accept “Enterprise Certificates” by default. So what we can do it is simply to change this policy from the advanced configuration. As per screenshot below let’s go into:

“about:config” Trusted Root CA Certificate firefox config

Let’s find for “security.enterprise_roots.enabled” and change the value to “True”. The change will be effective immediately. Trusted Root CA Certificate firefox enabled

At this point if we try to open the vCenter main page now the connection shows as secure with a green lock. Trusted Root CA Certificate vCenter firefox

As an additional note when accessing the vCenter console from a Windows machine we can simply double click on the certificate file to start the import wizard. I’d rather use the other method also to take a quick look at the other certificates and replace them when expired.

About the author

Michele Domanico

Passionate about Virtualization, Storage, Data Availability and Software Defined Data Center technologies. The aim of is sharing with the Community the knowledge and experience gained with customers, industry leaders and like minded peers. Always open to constructive feedback and new challenges.

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Browse articles

September 2018
« Aug    

Articles by Category


%d bloggers like this: