VMWare Certificates

VMware uses certification to ensure secure SSL communication between the vCenter components and the ESXi nodes.

Where the vCenter uses an untrusted or invalid certificate this can lead to "Could not establish trust relationship for the SSL/TLS secure channel with authority" type errors when attempting to connect to the ESXi nodes.

For example, when running the PowerCLI Connect-ViServer command as used in our VMware scripts.

This can result in an Unknown error recorded against the script in its Dashboard More Information section.

One of the three following approaches can be taken to alleviate this issue.

Import the VMware Certificate Authority (VMCA) root certificate

VMCA uses self-signed certificates that are automatically generated as part of the ESXi installation process. To add these certificates to the Windows Trusted Root Certificate Authorities store.

  1. Launch a browser
  2. Navigate to https://<vCenter Server>/ and click on Download trusted root CA certificates or go to https://<vCenter Server>/certs/download.zip to download the certificate
  3. Extract the downloaded ZIP file
  4. Double-click on the .CRT file and use the wizard to import the certificate into the Windows Trusted Root Certificate Authorities store

Replace the default certificates with CA-signed SSL certificates

Although VMCA certificates are installation unique, they are not verifiable or signed by a trusted certification authority (CA). Which may not comply with your organization’s security policy.

To create a CA-signed SSL certificate.

  1. Generate a Certificate Signing Request (CSR) in the vSphere Certificate Manager
  2. Submit this request to your enterprise CA or to an external certificate authority for signing
  3. Replace the self-signed certificates with the CA-signed versions

As CA-signed certificates expire, we suggest putting in place a process to manage any certificates used by VMware.

Use Set-PowerCLIConfiguration to ignore certs (not advised)

  1. Launched an elevated PowerCLI session
  2. Run the below command to ignore invalid certificates
  3. Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

Further information

Please refer to the following VMware documentation for further information.