WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Automating the import of vCenter Server 6.x root certificate

Automating the import of vCenter Server 6.x root certificate

07.27.2016 by William Lam // 14 Comments

In vSphere 6.0, you can now easily import your vCenter Server's trusted root CA certificate onto your client desktop by simply downloading it from the vCenter Server's landing page as shown in the screenshot below. Michael White had also recently wrote about this topic here which includes a step by step walk through.

automate-import-of-vcenter-server-root-certificate-3
Several weeks back I was working on an internal project which required the vCenter Server's root certificate. I was already aware of this interface and had written a quick and dirty script to automate the process of downloading and importing the certificate to the system I was working on. To be honest, I did not think much of the script after I wrote it. It was just recently that Alan Renouf, who was also involved in the project mentioned that it might be worth sharing the script as others might also find it useful. I thought that was a good idea and re-factored the code a bit since it was being used in a slightly different context. While doing so, I also created an equivalent PowerShell sample since the original script was meant to run on either a Mac OS X or Linux platform.

With that, I have created a simple shell script called import-vcrootcertificate.sh which can run on either Mac OS X or Linux system and a PowerShell script called Import-VCRootCertificate.ps1

Both scripts are pretty easy to use, they accept a single command-line argument which is the Hostname/IP Address of the vCenter Server that you wish to import the root certificate from. Both scripts ere able to detect if the vCenter Server is Windows or the VCSA since they have a slightly different URL to the root certificate before performing the import. Since the script will need access to your certificate store, you will need to run the scripts using a privileged account.

Here is a screenshot of running the PowerShell script:

automate-import-of-vcenter-server-root-certificate-0
Here is a screenshot of running the shell script:

automate-import-of-vcenter-server-root-certificate-2

More from my site

  • New SDDC Certificate Replacement Fling
  • PowerCLI script to help correlate vCenter, ESXi & vSAN build/versions w/o manual VMware KB lookup
  • Auditing/Logging vCenter Server authentication & authorization activities
  • How to split vCenter Servers configured in an Enhanced Linked Mode (ELM)?
  • Quick Tip - How to disable the landing page for vCenter Server 5.x & 6.x?

Categories // Automation, vSphere 6.0, vSphere Web Client Tags // add-trusted-cert, root certificate, ssl certificate, vCenter Server, vcenter server appliance

Comments

  1. *protectedsmokex365 says

    07/27/2016 at 12:55 pm

    Awesome. This will save me a lot of time in the future. I just had to redo my vcsa and was holding off updating the cert because I didn't want to deal with it.

    Reply
  2. *protectedBen says

    08/01/2016 at 9:27 am

    I am unable to run the PowerShell script, it initially gives me the error message "Exception calling "DownloadFile" with "2" argument(s): "The given path's format is not supported."" Everything else then fails since it can't find the certs.zip file. I have tried it on two different systems with the same result.

    Reply
  3. *protectedRoss says

    08/01/2016 at 1:10 pm

    am unable to run the PowerShell script, it initially gives me the error message “Exception calling “DownloadFile” with “2” argument(s): “The given path’s format is not supported.”” Everything else then fails since it can’t find the certs.zip file. I have tried it on two different systems with the same result.

    Looks like it's missing the paramater in the function. I was able to run it after I added ([string]$VC_HOSTNAME) to the Function.

    Function Import-VCRootCertificate ([string]$VC_HOSTNAME){

    Reply
    • William Lam says

      08/02/2016 at 6:50 am

      @Ben @Ross,

      What version of PowerShell are you using? Wondering if older version may have some problems with the methods ...

      Reply
      • *protectedRoss says

        08/02/2016 at 10:47 am

        I'm using 5.1

        Reply
  4. *protectedKen says

    08/02/2016 at 11:05 am

    I'm getting a similar error to Ben and Ross. Unfortunately Ross' fix didn't work for me. I am running PowerShell version 5.

    Reply
  5. *protectedBen says

    08/02/2016 at 11:32 am

    Powershell 5.0 here as well, so not old. When I try Ross's fix I get a different error:

    "Unable to connect to the remote server."

    Reply
  6. *protectedPeter Stancek says

    08/04/2016 at 2:12 am

    sudo ./import-vcrootcertificate.sh 192.168.x.x

    Downloading VC SSL Certificate to /tmp/cert.zip
    Importing to VC SSL Certificate to Certificate Store
    ./import-vcrootcertificate.sh: line 47: [: ==: unary operator expected
    Cleaning up, delete /tmp/cert.zip
    Cleaning up, delete /tmp/certs

    change
    if [ ${OS_TYPE} == "OSX" ]
    to
    if [ "${OS_TYPE}" == "OSX" ]

    tested on Linux/Debian

    Reply
    • William Lam says

      08/04/2016 at 3:24 am

      Peter,

      Thanks for the catch. I've just fixed this and pushed the changes

      Reply
  7. *protectedNir Levy says

    05/07/2017 at 7:47 am

    Thanks for sharing!

    few remark running over ESXi 6.5

    (regarding import-vcrootcertificate.sh, revision ff05110)
    Line 40:
    https://${NODE_IP}/certs/download.zip
    .zip is missing

    Line 42:
    $(ls /tmp/certs/*.0);
    should be
    $(ls /tmp/certs/lin/*.0);

    I add creating of /usr/local/share/ca-certificates/ if not existed.

    Reply
  8. *protectedGregory Thompson says

    06/11/2017 at 12:24 pm

    PS C:\> C:\Import-VCRootCertificate.ps1
    At C:\Import-VCRootCertificate.ps1:7 char:3
    + 6 Function Import-VCRootCertificate ([string]$VC_HOSTNAME){
    + ~~~~~~~~
    Unexpected token 'Function' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:10 char:7
    + 9 $DOWNLOAD_PATH=[Environment]::GetFolderPath("Desktop")
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Unexpected token '$DOWNLOAD_PATH=[Environment]::GetFolderPath' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:11 char:8
    + 10 $DOWNLOAD_FILE_NAME="cert.zip"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Unexpected token '$DOWNLOAD_FILE_NAME="cert.zip"' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:12 char:8
    + 11 $DOWNLOAD_FILE_PATH="$DOWNLOAD_PATH\$DOWNLOAD_FILE_NAME"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Unexpected token '$DOWNLOAD_FILE_PATH="$DOWNLOAD_PATH\$DOWNLOAD_FILE_NAME"' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:13 char:8
    + 12 $EXTRACTED_CERTS_PATH="$DOWNLOAD_PATH\certs"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Unexpected token '$EXTRACTED_CERTS_PATH="$DOWNLOAD_PATH\certs"' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:17 char:8
    + 15 $URL = "https://"+$VC_HOSTNAME+":5480"
    + ~~~~
    Unexpected token '$URL' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:18 char:8
    + 16 $FOUND_VCSA = 1
    + ~~~~~~~~~~~
    Unexpected token '$FOUND_VCSA' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:23 char:8
    + 20 $websession = New-Object Microsoft.PowerShell.Commands.WebRequ ...
    + ~~~~~~~~~~~
    Unexpected token '$websession' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:24 char:8
    + 21 try {
    + ~~~
    Unexpected token 'try' in expression or statement.
    At C:\Import-VCRootCertificate.ps1:25 char:12
    + 22 $result = Invoke-WebRequest -Uri $URL -TimeoutSec 5
    + ~~~~~~~
    Unexpected token '$result' in expression or statement.
    Not all parse errors were reported. Correct the reported errors and try again.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

    PS C:\>

    Reply
  9. *protectedChase Hansen says

    07/21/2017 at 5:10 pm

    Script is broken with the latest 6.5 build, the certs.zip extracts into tmp/certs but it's broken out into three folders lin/mac/win after that.

    Reply
  10. *protectedNir Levy says

    10/31/2017 at 5:22 am

    After succeeding with importing certificate from vCenter appliance,
    I am trying to import certificate from a ESXi6.0U1 server.
    the certificate is received in the right place ( the same place I've successfully imported, for my fc23 server it is /etc/pki/ca-trust/source/anchors/ )
    I am getting the SSL error even after I run 'update-ca-trust' this time.

    certificate ends with
    fmQQ1h/cK7u8
    -----END CERTIFICATE-----

    little shorter then the vcenter one, and no " sign in it.

    uDoQVPQfukoUxnhZsBTno58=
    -----END CERTIFICATE-----

    Any suggestions?
    regards.
    Nir.

    Reply
  11. *protectedFinny says

    02/26/2019 at 5:35 pm

    Ws looking for something like this thanks William. Running on MAC OSX High Sierra

    Downloading VC SSL Certificate to /tmp/cert.zip
    ls: /tmp/certs/*.0: No such file or directory
    Cleaning up, delete /tmp/cert.zip
    Cleaning up, delete /tmp/certs

    anyone try before is the unpacking mechanism?

    best
    finn

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...