Script to add vSphere 6.5 VMCA Root Certificate to Trusted Certs Store

When running vSphere 6.5 deployments in default (recommended) mode, VMware Certificate Authority is its own root certificate authority. Everything fine and secure with this configuration, but your browser displays a warning because the root certificate is not trusted.
there-is-a-problem-with-this-security-certificate

I made a little script (VBS) that pulls the CA certificate from a vCenter Server or Platform Services Controller and adds it to the local trusted root certificates store. When the root CA is trusted, browser warnings are gone.

Just save the source to a file with a .vbs extension, or download the .zip package which includes the file. The script asks for the vCenter FQDN, pulls the certificate archive, extracts it and adds the certificate to the local root store.

The script is configured to elevate permissions. When UAC is enabled, it asks for permission.

Supported OS

  • Windows 7
  • Windows 8
  • Windows 10

Download: add-vcenter65-root-ca.vbs
Source: GitHub

 

  1. Why wouldn't you make vmware a subordinate CA?

  2. I receive an error when attempting to use this vbs script:

    Line: 34
    Char: 3
    Error: Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.
    Code: 800A0BB9
    Source: ADODB.Stream

  3. This is a fantastic piece of work, worked great for me in a non-domain home lab, for Chrome and Edge on Windows 10. FYI, Firefox still whines a little, "This website does not supply ownership information."

    Thank you so much for sharing this easier-than-ever way to get it done! Next step, certificate warnings for ESXi Embedded Host Client...

  4. Any tips on how to do this on a linux machine, primarily Ubuntu/LinuxMint? Thanks for providing this, extremely helpful.

    • Something like this:

      # wget https://vcsa.virten.lab/certs/download.zip --no-check-certificate -O cacert.zip
      # unzip cacert.zip
      # mkdir /usr/share/ca-certificates/extra
      # cp certs/lin/*.0 /usr/share/ca-certificates/extra/vcsa.virten.lab.crt
      # echo "extra/vcsa.virten.lab.crt" >> /etc/ca-certificates.conf
      # dpkg-reconfigure ca-certificates

  5. My lab's old vcsa.lab.local VM was deleted from inventory and a new one was created from scratch, so I get an error with Chrome not allowing me to login to this new vcsa (but Firefox let's me bypass, the new vcsa is healthy and fine).

    So I go to try to re-run your VBS script, but I get the following warning:

    Windows Script Host
    Script: c:\Users\pbraren\Downloads\add-vcenter65-root-ca.vbs
    Line: 23
    Char: 1
    Error: File already exists
    Code: 800A003A
    Source: Microsoft VBScript runtime error

    Do you have any suggestions for a workaround? I'm guessing it doesn't like that the download.zip or other temp file from the last time it was run still exists, but not finding any such file in my temp folder.

    • In Windows 10 with UAC the default dir for downloads might be you system32 dir. Check and delete C:\Windows\System32\[vcenter]-cacert/.

  6. Happy to replicate the issue or even record a video if that helps, just let me know.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>