VMware: Export the vCenter VMCA_ROOT_CERT certificate

Hi,

in the default configuration the ESXi host gets a TLS certificate from the vCenter signed bei the VMCA_ROOT_CERT certificate.

So if you want to connect directly to a ESXi server you have to accept a secure warning or the browser does not accept the certificate due to HSTS error.

The solution is to import the VMCA_ROOT_CERT certificate in the TLS/SSL root certificates of your client computer.

The vSphere GUI does not offer the ability to export the certificate so you have to do this at the VCSA command line.

Login to the VCSA by ssh. Get the list and find the vcsa root certificate and the selfsigned certificate with the hostname as CN.

Command> shell
root@myCVenter [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
....
#1:
CN(id):         A35412348D33EA5EB11E66EF901A1F8D99B96111
Subject DN:     CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=myCVenter , OU=VMware
CRL present:    yes
....
#5:
CN(id):         66EA12FBB01EA5EB11E667FECDE63F8D99B78999
Subject DN:     CN=myCVenter , DC=vsphere, DC=local, C=US, ST=California, O=myCVenter , OU=VMware Engineering
CRL present:    yes

....

Export the certificates

root@myCVenter [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id A35412348D33EA5EB11E66EF901A1F8D99B0465 --outcert /tmp/vmca_root.cer
root@myCVenter [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id 66EA12FBB01EA5EB11E667FECDE63F8D99B78999--outcert /tmp/vmca.cer

Copy the certificate to your client and import it the root certificate store.

Via Powerhell

PS D:\> Import-Certificate -FilePath D:\vmca_root.cer -CertStoreLocation Cert:\LocalMachine\Root -Confirm:$false
PS D:\> Import-Certificate -FilePath D:\vmca.cer -CertStoreLocation Cert:\LocalMachine\Root -Confirm:$false

Or certutil

D:\> certutil -addstore root D:\vmca_root.cer
D:\> certutil -addstore root D:\vmca.cer

See also: Renew a ESXi host certificate

Michael

Leave a Reply Cancel reply