VMware: Export the vCenter VMCA_ROOT_CERT certificate


in the default configuration the ESXi host gets a TLS certificate from the vCenter signed bei the VMCA_ROOT_CERT certificate.

So if you want to connect directly to a ESXi server you have to accept a secure warning or the browser does not accept the certificate due to HSTS error.

The solution is to import the VMCA_ROOT_CERT certificate in the TLS/SSL root certificates of your client computer.

The vSphere GUI does not offer the ability to export the certificate so you have to do this at the VCSA command line.

Login to the VCSA by ssh. Get the list and find the vcsa root certificate and the selfsigned certificate with the hostname as CN.

Command> shell
root@myCVenter [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
CN(id):         A35412348D33EA5EB11E66EF901A1F8D99B96111
Subject DN:     CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=myCVenter , OU=VMware
CRL present:    yes
CN(id):         66EA12FBB01EA5EB11E667FECDE63F8D99B78999
Subject DN:     CN=myCVenter , DC=vsphere, DC=local, C=US, ST=California, O=myCVenter , OU=VMware Engineering
CRL present:    yes


Export the certificates

root@myCVenter [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id A35412348D33EA5EB11E66EF901A1F8D99B0465 --outcert /tmp/vmca_root.cer
root@myCVenter [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id 66EA12FBB01EA5EB11E667FECDE63F8D99B78999--outcert /tmp/vmca.cer

Copy the certificate to your client and import it the root certificate store.

Via Powerhell

PS D:\> Import-Certificate -FilePath D:\vmca_root.cer -CertStoreLocation Cert:\LocalMachine\Root -Confirm:$false
PS D:\> Import-Certificate -FilePath D:\vmca.cer -CertStoreLocation Cert:\LocalMachine\Root -Confirm:$false

Or certutil

D:\> certutil -addstore root D:\vmca_root.cer
D:\> certutil -addstore root D:\vmca.cer

See also: Renew a ESXi host certificate


Advertisment to support michlstechblog.info

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.