In vSphere 6.0, you can now easily import your vCenter Server's trusted root CA certificate onto your client desktop by simply downloading it from the vCenter Server's landing page as shown in the screenshot below. Michael White had also recently wrote about this topic here which includes a step by step walk through.
Several weeks back I was working on an internal project which required the vCenter Server's root certificate. I was already aware of this interface and had written a quick and dirty script to automate the process of downloading and importing the certificate to the system I was working on. To be honest, I did not think much of the script after I wrote it. It was just recently that Alan Renouf, who was also involved in the project mentioned that it might be worth sharing the script as others might also find it useful. I thought that was a good idea and re-factored the code a bit since it was being used in a slightly different context. While doing so, I also created an equivalent PowerShell sample since the original script was meant to run on either a Mac OS X or Linux platform.
With that, I have created a simple shell script called import-vcrootcertificate.sh which can run on either Mac OS X or Linux system and a PowerShell script called Import-VCRootCertificate.ps1
Both scripts are pretty easy to use, they accept a single command-line argument which is the Hostname/IP Address of the vCenter Server that you wish to import the root certificate from. Both scripts ere able to detect if the vCenter Server is Windows or the VCSA since they have a slightly different URL to the root certificate before performing the import. Since the script will need access to your certificate store, you will need to run the scripts using a privileged account.
Here is a screenshot of running the PowerShell script:
Here is a screenshot of running the shell script:
smokex365 says
Awesome. This will save me a lot of time in the future. I just had to redo my vcsa and was holding off updating the cert because I didn't want to deal with it.
Ben says
I am unable to run the PowerShell script, it initially gives me the error message "Exception calling "DownloadFile" with "2" argument(s): "The given path's format is not supported."" Everything else then fails since it can't find the certs.zip file. I have tried it on two different systems with the same result.
Ross says
am unable to run the PowerShell script, it initially gives me the error message “Exception calling “DownloadFile” with “2” argument(s): “The given path’s format is not supported.”” Everything else then fails since it can’t find the certs.zip file. I have tried it on two different systems with the same result.
Looks like it's missing the paramater in the function. I was able to run it after I added ([string]$VC_HOSTNAME) to the Function.
Function Import-VCRootCertificate ([string]$VC_HOSTNAME){
William Lam says
@Ben @Ross,
What version of PowerShell are you using? Wondering if older version may have some problems with the methods ...
Ross says
I'm using 5.1
Ken says
I'm getting a similar error to Ben and Ross. Unfortunately Ross' fix didn't work for me. I am running PowerShell version 5.
Ben says
Powershell 5.0 here as well, so not old. When I try Ross's fix I get a different error:
"Unable to connect to the remote server."
Peter Stancek says
sudo ./import-vcrootcertificate.sh 192.168.x.x
Downloading VC SSL Certificate to /tmp/cert.zip
Importing to VC SSL Certificate to Certificate Store
./import-vcrootcertificate.sh: line 47: [: ==: unary operator expected
Cleaning up, delete /tmp/cert.zip
Cleaning up, delete /tmp/certs
change
if [ ${OS_TYPE} == "OSX" ]
to
if [ "${OS_TYPE}" == "OSX" ]
tested on Linux/Debian
William Lam says
Peter,
Thanks for the catch. I've just fixed this and pushed the changes
Nir Levy says
Thanks for sharing!
few remark running over ESXi 6.5
(regarding import-vcrootcertificate.sh, revision ff05110)
Line 40:
https://${NODE_IP}/certs/download.zip
.zip is missing
Line 42:
$(ls /tmp/certs/*.0);
should be
$(ls /tmp/certs/lin/*.0);
I add creating of /usr/local/share/ca-certificates/ if not existed.
Gregory Thompson says
PS C:\> C:\Import-VCRootCertificate.ps1
At C:\Import-VCRootCertificate.ps1:7 char:3
+ 6 Function Import-VCRootCertificate ([string]$VC_HOSTNAME){
+ ~~~~~~~~
Unexpected token 'Function' in expression or statement.
At C:\Import-VCRootCertificate.ps1:10 char:7
+ 9 $DOWNLOAD_PATH=[Environment]::GetFolderPath("Desktop")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unexpected token '$DOWNLOAD_PATH=[Environment]::GetFolderPath' in expression or statement.
At C:\Import-VCRootCertificate.ps1:11 char:8
+ 10 $DOWNLOAD_FILE_NAME="cert.zip"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unexpected token '$DOWNLOAD_FILE_NAME="cert.zip"' in expression or statement.
At C:\Import-VCRootCertificate.ps1:12 char:8
+ 11 $DOWNLOAD_FILE_PATH="$DOWNLOAD_PATH\$DOWNLOAD_FILE_NAME"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unexpected token '$DOWNLOAD_FILE_PATH="$DOWNLOAD_PATH\$DOWNLOAD_FILE_NAME"' in expression or statement.
At C:\Import-VCRootCertificate.ps1:13 char:8
+ 12 $EXTRACTED_CERTS_PATH="$DOWNLOAD_PATH\certs"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unexpected token '$EXTRACTED_CERTS_PATH="$DOWNLOAD_PATH\certs"' in expression or statement.
At C:\Import-VCRootCertificate.ps1:17 char:8
+ 15 $URL = "https://"+$VC_HOSTNAME+":5480"
+ ~~~~
Unexpected token '$URL' in expression or statement.
At C:\Import-VCRootCertificate.ps1:18 char:8
+ 16 $FOUND_VCSA = 1
+ ~~~~~~~~~~~
Unexpected token '$FOUND_VCSA' in expression or statement.
At C:\Import-VCRootCertificate.ps1:23 char:8
+ 20 $websession = New-Object Microsoft.PowerShell.Commands.WebRequ ...
+ ~~~~~~~~~~~
Unexpected token '$websession' in expression or statement.
At C:\Import-VCRootCertificate.ps1:24 char:8
+ 21 try {
+ ~~~
Unexpected token 'try' in expression or statement.
At C:\Import-VCRootCertificate.ps1:25 char:12
+ 22 $result = Invoke-WebRequest -Uri $URL -TimeoutSec 5
+ ~~~~~~~
Unexpected token '$result' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
PS C:\>
Chase Hansen says
Script is broken with the latest 6.5 build, the certs.zip extracts into tmp/certs but it's broken out into three folders lin/mac/win after that.
Nir Levy says
After succeeding with importing certificate from vCenter appliance,
I am trying to import certificate from a ESXi6.0U1 server.
the certificate is received in the right place ( the same place I've successfully imported, for my fc23 server it is /etc/pki/ca-trust/source/anchors/ )
I am getting the SSL error even after I run 'update-ca-trust' this time.
certificate ends with
fmQQ1h/cK7u8
-----END CERTIFICATE-----
little shorter then the vcenter one, and no " sign in it.
uDoQVPQfukoUxnhZsBTno58=
-----END CERTIFICATE-----
Any suggestions?
regards.
Nir.
Finny says
Ws looking for something like this thanks William. Running on MAC OSX High Sierra
Downloading VC SSL Certificate to /tmp/cert.zip
ls: /tmp/certs/*.0: No such file or directory
Cleaning up, delete /tmp/cert.zip
Cleaning up, delete /tmp/certs
anyone try before is the unpacking mechanism?
best
finn