If you have a recent VMware vSphere installation with a vCenter server in production or in a lab then you will be aware of that the Web Client is the recommended choice for managing the environment and that the well known C# based vSphere Client is considered deprecated or legacy (since version 5.1 already).
However, when you connect to the Web Client of your freshly installed vCenter server for the first time using your favorite Internet browser you will be greeted by a more or less alarming warning. Chrome even warns you that VMware might steal your credit card information ;-) (well, they probably already have that) ... You should really be worried whenever you see this warning on a random Internet site, but you don't need to if it's your company internal vCenter server that you try to access.
So, why do you get this message, and how can you get rid of it?
The reason for this message is that the vCenter installation by default uses a self-signed certificate for the SSL secured browser connection, and that your computer does not trust this certificate. To address this issue VMware recommends to replace the default certificates with custom certificates issued by your own internal PKI. In the past it was a bold venture to manually replace the certificates, but nowadays VMware supplies not only extensive documentation for this process but even a tool to automate it. Nevertheless, in my opinion it is still quite an effort to do this, because each vCenter component and all ESXi hosts use their own certificate and there are a lot of dependencies between them.
So, can you get rid of the annoying browser warning without replacing the default certificates? Yes, you can, and here is how:
All you need to do is make your computer trust the self-signed default certificate of the Web Client. If your vCenter server is running on Windows then it is stored there in the file
%ALLUSERSPROFILE%\VMware\vSphere Web Client\ssl\cacert.pem
If you are using the vCenter Linux appliance then the file name should be
/etc/vmware-vsphere-client/SerenityDB/keys/vsphere-client-ca-cert.pem
(but sorry, I have not verified that, because I still use Windows only for vCenter)
Update 2015-03-16: For the vCenter 6.0 appliance the file is at
/var/lib/vmware/vmca/root.cer
Alternatively you can use the command line
certutil -addStore -f Root <certfile>
in a command prompt that you run as administrator.
In a Microsoft Active Directory environment you can also use Group Policies to automatically distribute the certificate to all Domain member machines.
If you access the Web Client using a Linux machine then the method to add a trusted certificate seems to be browser specific. For Chrome e.g. see here, and always remember that Google is your friend ;-)
This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. 
 Follow him on Twitter to keep up to date with what he posts.
 Follow him on Twitter to keep up to date with what he posts.
 Follow him on Twitter to keep up to date with what he posts.
 Follow him on Twitter to keep up to date with what he posts.
 

Nice tip. Thanks
ReplyDeleteThanks 🙋
ReplyDeleteGreat tip!
ReplyDeleteAre you sure about the path to cacert.pem ? On our vCenter I have found it here:
ReplyDelete%ALLUSERSPROFILE%\VMware\VMware VirtualCenter\SSL
In %ALLUSERSPROFILE%\VMware\vSphere Web Client\ssl\ I have only these files:
rui.crt, rui.key and rui.pfx
Your are probably on an older (than 5.5) version of vCenter. The two certificates that you found are for different purposes. The first one is used for vSphere legacy client and API connections to port 443. The second one is used for the Web Client.
DeleteTry to import the rui.pfx file on your client computer. When asked for a password use "testpassword" (without the quotes).
Andreas
The only guide that helped!
ReplyDelete