How to Trust vCenter SSL Certificate

These days it’s easy to find small environments where VMware vCenter SSL certificate is not signed by a proper certification authority. For example, you just installed vCenter Server in your lab as described in How to Install VCSA 6.5 (VMware vCenter Server Appliance).

Below picture is something you see often in these environments. In this article I will show how to trust all vCenter issued certificates on a single Windows computer. This will take care of vCenter SSL certificate and also the ESXi servers certificates (only for the ESXi servers under vCenter management, of course) in Internet Explorer, Microsoft Edge and Google Chrome.

vCenter SSL Certificate - Internet Explorer Error

Install vCenter SSL Certificate

First step is to access the root URL of your vCenter Server (in my case https://vcenter.lab.local) in Internet Explorer. After you pass through the above screenshot, you will be presented with vCenter landing page. Notice the red “Certificate error” on the address bar. In the bottom right side of the page there is a link “Download trusted root CA certificates”. Right-click on it and click “Save target as…”. Make a note of the folder where you’re downloading the certificates archive.

vCenter SSL Certificate - Download Trusted Root CA Certificates

Unzip the archive and navigate to “certs/win”. Right-click on the crt file and choose “Install Certificate” from the menu.

vCenter SSL Certificate - Install CRT File

The Certificate Import Wizard will start. Click on “Next”.

vCenter SSL Certificate - Certificate Import Wizard

Click on “Place all certificates in the following store”. Then click “Browse” and choose “Trusted Root Certification Authorities”. Click “OK” and then “Next”.

vCenter SSL Certificate - Choose Certificates Store

Click “Finish”.

vCenter SSL Certificate - Finish Certificate Wizard

Confirm the import was successful. “Click “OK”.

vCenter SSL Certificate - Certificate Wizard OK

Confirm vCenter SSL Certificate Is Now Trusted

Close all Internet Explorer windows. Open Internet Explorer and visit vCenter root URL or vSphere Web Client URL. The error page is gone and you have a nice padlock on the right side of the address bar.

vCenter SSL Certificate - Internet Explorer OK

Open Google Chrome and access same URL. You will see a nice green secure icon and no ugly red error 🙂

vCenter SSL Certificate - Google Chrome OK

If you’re part of a large deployment, you may wish to try alternative ways of trusting the vCenter SSL certificate. See KB2108294 for two ways to achieve this (Active Directory Group Policy Update in Deployments with VMCA as an Intermediate Certificate Authority, Active Directory Group Policy Update in Deployments with Custom Certificates or VMCA-Signed Certificates).

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply