{"id":8702,"date":"2022-04-13T22:03:04","date_gmt":"2022-04-13T20:03:04","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=8702"},"modified":"2023-12-20T08:43:12","modified_gmt":"2023-12-20T07:43:12","slug":"vmware-export-the-vcenter-vmca_root_cert-certificate","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/vmware-export-the-vcenter-vmca_root_cert-certificate\/","title":{"rendered":"VMware: Export the vCenter VMCA_ROOT_CERT certificate"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_8702 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_8702')){$('.twoclick_social_bookmarks_post_8702').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"VMware%3A%20Export%20the%20vCenter%20VMCA_ROOT_CERT%20certificate\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ain%20the%20default%20configuration%20the%20ESXi%20host%20gets%20a%20TLS%20certificate%20from%20the%20vCenter%20signed%20bei%20the%20VMCA_ROOT_CERT%20certificate.%20%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/vmware-export-the-vcenter-vmca_root_cert-certificate\\\/\",\"post_id\":8702,\"post_title_referrer_track\":\"VMware%3A+Export+the+vCenter+VMCA_ROOT_CERT+certificate\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>in the default configuration the ESXi host gets a TLS certificate from the vCenter signed bei the VMCA_ROOT_CERT certificate.<br \/>\n<!--more--><br \/>\nSo if you want to connect directly to a ESXi server you have to accept a secure warning or the browser does not accept the certificate due to <strong>HSTS <\/strong>error.<\/p>\n<p>The solution is to import the VMCA_ROOT_CERT certificate in the TLS\/SSL root certificates of your client computer.<\/p>\n<p>The vSphere GUI does not offer the ability to export the certificate so you have to do this at the VCSA command line.<\/p>\n<p>Login to the VCSA by ssh. Get the list and find the vcsa root certificate and the selfsigned certificate with the hostname as CN.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nCommand&gt; shell\r\nroot@myCVenter &#x5B; ~ ] \/usr\/lib\/vmware-vmafd\/bin\/dir-cli trustedcert list\r\n....\r\n#1:\r\nCN(id):         A35412348D33EA5EB11E66EF901A1F8D99B96111\r\nSubject DN:     CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=myCVenter , OU=VMware\r\nCRL present:    yes\r\n....\r\n#5:\r\nCN(id):         66EA12FBB01EA5EB11E667FECDE63F8D99B78999\r\nSubject DN:     CN=myCVenter , DC=vsphere, DC=local, C=US, ST=California, O=myCVenter , OU=VMware Engineering\r\nCRL present:    yes\r\n\r\n....\r\n<\/pre>\n<p>Export the certificates <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@myCVenter &#x5B; ~ ] \/usr\/lib\/vmware-vmafd\/bin\/dir-cli trustedcert get --id A35412348D33EA5EB11E66EF901A1F8D99B0465 --outcert \/tmp\/vmca_root.cer\r\nroot@myCVenter &#x5B; ~ ] \/usr\/lib\/vmware-vmafd\/bin\/dir-cli trustedcert get --id 66EA12FBB01EA5EB11E667FECDE63F8D99B78999--outcert \/tmp\/vmca.cer\r\n<\/pre>\n<p>Copy the certificate to your client and import it the root certificate store.<\/p>\n<p>Via Powerhell<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; Import-Certificate -FilePath D:\\vmca_root.cer -CertStoreLocation Cert:\\LocalMachine\\Root -Confirm:$false\r\nPS D:\\&gt; Import-Certificate -FilePath D:\\vmca.cer -CertStoreLocation Cert:\\LocalMachine\\Root -Confirm:$false\r\n<\/pre>\n<p>Or certutil<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; certutil -addstore root D:\\vmca_root.cer\r\nD:\\&gt; certutil -addstore root D:\\vmca.cer\r\n<\/pre>\n<p>See also: <a href=\"https:\/\/michlstechblog.info\/blog\/vmware-renew-an-esxi-host-certificate-by-powercli\/\" rel=\"noopener\" target=\"_blank\">Renew<\/a> a ESXi host certificate<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, in the default configuration the ESXi host gets a TLS certificate from the vCenter signed bei the VMCA_ROOT_CERT certificate.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[1837,1838,394,1839,346,86,1524,14,110],"class_list":["post-8702","post","type-post","status-publish","format-standard","hentry","category-vmware","tag-certiifcate","tag-esxi-certificate-not-trusted","tag-export","tag-hsts","tag-root","tag-vcenter","tag-vcsa","tag-vmware-2","tag-vsphere"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=8702"}],"version-history":[{"count":12,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8702\/revisions"}],"predecessor-version":[{"id":8719,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8702\/revisions\/8719"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=8702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=8702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=8702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}