How to avoid browser warnings when using the vCenter Web Client with a self-signed certificate


If you have a recent VMware vSphere installation with a vCenter server in production or in a lab then you will be aware of that the Web Client is the recommended choice for managing the environment and that the well known C# based vSphere Client is considered deprecated or legacy (since version 5.1 already).

However, when you connect to the Web Client of your freshly installed vCenter server for the first time using your favorite Internet browser you will be greeted by a more or less alarming warning. Chrome even warns you that VMware might steal your credit card information ;-) (well, they probably already have that) ... You should really be worried whenever you see this warning on a random Internet site, but you don't need to if it's your company internal vCenter server that you try to access.

So, why do you get this message, and how can you get rid of it?

The reason for this message is that the vCenter installation by default uses a self-signed certificate for the SSL secured browser connection, and that your computer does not trust this certificate. To address this issue VMware recommends to replace the default certificates with custom certificates issued by your own internal PKI. In the past it was a bold venture to manually replace the certificates, but nowadays VMware supplies not only extensive documentation for this process but even a tool to automate it. Nevertheless, in my opinion it is still quite an effort to do this, because each vCenter component and all ESXi hosts use their own certificate and there are a lot of dependencies between them.

So, can you get rid of the annoying browser warning without replacing the default certificates? Yes, you can, and here is how:

All you need to do is make your computer trust the self-signed default certificate of the Web Client. If your vCenter server is running on Windows then it is stored there in the file

   %ALLUSERSPROFILE%\VMware\vSphere Web Client\ssl\cacert.pem

If you are using the vCenter Linux appliance then the file name should be

  /etc/vmware-vsphere-client/SerenityDB/keys/vsphere-client-ca-cert.pem

(but sorry, I have not verified that, because I still use Windows only for vCenter)

Update 2015-03-16: For the vCenter 6.0 appliance the file is at

  /var/lib/vmware/vmca/root.cer

Copy this file to your Windows client and rename it to something.cer. Right-click on it and choose Install certificate from the context menu to start the import wizard. In this wizard be sure to select Local Machine as the store location (you need admin permissions for this step) and place the certificate in the Trusted Root Certification Authorities store. That's it! Relaunch your prefered browser and the nasty message will be gone.

Alternatively you can use the command line

   certutil -addStore -f Root <certfile>

in a command prompt that you run as administrator.

In a Microsoft Active Directory environment you can also use Group Policies to automatically distribute the certificate to all Domain member machines.

If you access the Web Client using a Linux machine then the method to add a trusted certificate seems to be browser specific. For Chrome e.g. see here, and always remember that Google is your friend ;-)


This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.



6 comments:

  1. Are you sure about the path to cacert.pem ? On our vCenter I have found it here:

    %ALLUSERSPROFILE%\VMware\VMware VirtualCenter\SSL

    In %ALLUSERSPROFILE%\VMware\vSphere Web Client\ssl\ I have only these files:
    rui.crt, rui.key and rui.pfx


    ReplyDelete
    Replies
    1. Your are probably on an older (than 5.5) version of vCenter. The two certificates that you found are for different purposes. The first one is used for vSphere legacy client and API connections to port 443. The second one is used for the Web Client.

      Try to import the rui.pfx file on your client computer. When asked for a password use "testpassword" (without the quotes).

      Andreas

      Delete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!