How to replace your Windows 10 certificate so browser security warnings go away after replacing your VMware VCSA

Posted by Paul Braren on Mar 4 2018 (updated on Dec 5 2018) in

I recently bumped into an issue after a public demonstration of my home lab. After the successful day, I routinely replaced the VCSA appliance I had been messing around with by deleting the old one and installing a new one. I re-used the same DNS name, which for my home lab is vcsa.lab.local, avoiding the need to update my DNS server.

Suddenly, using a browser to get to either of the UIs, the vSphere Web Client (Adobe Flash) or vSphere Client (HTML5), wouldn’t work. Even VAMI broke, and the main VCSA welcome page the allows easy certificate download. My browsers were trying to warn me that I was trying to connect to what they rightfully saw as an imposter. I've bumped into this conundrum before over the past fear years, of testing of dozens of beta versions. So off to Google I went, curious if there were clear-cut-articles out there with the resolution. I didn't find anything beside this KB 210894, so figured it's a great time for me to finally get my fix documented here, partly for my future self.

If you work in a lab where you've already downloaded certificates into your system's "Trusted Root Certification Authorities" store to avoid those important but pesky red browser warnings everywhere, such as by following along with my TinkerTry article:

How to import your VCSA certificate so ALL VMware vSphere browser security warnings go away in Windows 10

and you later replace your VMware vCenter Server Appliance (VCSA) like I did, you'll also get those scary warnings. These warnings can't be bypassed, as listed/shown here for reference:

Chrome

Chrome

Tested with version 64.0.3282.186
(Official Build) (64-bit)

Your connection is not private
Attackers might be trying to steal your information from vcsa.lab.local (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_INVALID

Automatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy
vcsa.lab.local normally uses encryption to protect your information. When Google Chrome tried to connect to vcsa.lab.local this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be vcsa.lab.local, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit vcsa.lab.local right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.
Internet Explorer

Internet Explorer

Tested with version 11.850.15063.0 (64-bit)

This site is not secure

This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

Recommended iconClose this tab

More information More information

The website’s security certificate is not secure.
Error Code: 0
Microsoft Edge

Microsoft Edge

Tested with version 40.15063.674.0 (64-bit)

This site is not secure

This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.


Go to your Start page
Details

The website’s security certificate is not secure.
Error Code: 0
Firefox Quantum

Firefox

Tested with version 58.0.2 (64-bit)

Your connection is not secure

The owner of vcsa.lab.local has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

vcsa.lab.local uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

Add Exception...

While replacing your vCenter/VCSA in the enterprise isn't exactly a common occurrence, it's much more commonplace in the home lab, testing different versions of VCSA or beta testing future versions.

The fix I've documented here is fairly straightforward, tested on Windows 10 and VMware vSphere/VCSA 6.5U1f.

Prerequisites

These are the circumstances in my home lab:

willingness to type in FQDN
eg. https://vcsa.lab.local, not just https://vcsa
(I create single-click taskbar shortcuts anyway)
stand-alone Windows in workgroup mode
(not joined to Active Directory)
Administrative rights to Windows
VCSA 6.0 or later (I used 6.5U1f)

Remove the old VCSA certificate, then download and install the new one. Here's how.

The Fix

Here's the step-by-step written instructions, with a walk-thru video below.

Step 1) Delete the old VCSA certificate

Press the Win+R key on your keyboard
Type certlm.msc then press the "Enter" key
When prompted by "User Account Control", click "Yes"
Along the left, open the "Trusted Root Certification Authorities" and highlight the "Certificates" folder
Look for a certificate that is Issued To and Issued By "CA" and double-click on it
Select the "Details" tab
Scroll down to "Subject" and look for something like "VMware Engineering, vcsa.lab.local" but with your vcsa server's name instead
Click on the "Copy to File..." button, and save the certificate to your system's drive, just in case you ever need to import it again
Click OK to exit the view of the Certificate
With the Certificate you just inspected still highlighted, press Del on your keyboard and say Yes (to delete the certificate)

Step 2) Delete All cookies and site data for your old VCSA appliance

I detail the exact steps are detailed here:

appify-your-vmware-vsphere-related-web-uis-using-chrome-for-windows

VMware vSphere Taskbar Shortcuts Unleashed - profile switcher isolated and uncluttered Chrome Browser UIs act like native Windows apps!
Mar 27 2017

Step 3) Install the new VCSA certificate

I detail the exact steps are detailed here:

how-to-get-rid-of-vsphere-browser-certificate-warnings-in-windows

How to import your VCSA certificate so ALL VMware vSphere browser security warnings go away in Windows 10
Apr 26 2017

Step 4) Close Chrome, and kill all instances of Chrome.exe

Close all copies of the browser you use for vSphere sysadmin, making sure to kill all copies using Task Manager if necessary, or logging off and back in again to be extra sure.

Step 5) Test Remote Console

Invalid-Security-Certificate-cropped — Try opening up vSphere Client and launch a Remote Console to a powered-on VM, if you get this error, turn on the checkbox then click on "Connect Anyway"

Step 6) Recreate Chrome shortcuts (optional)

If you find any of your Taskbar shortcuts created in Chrome give an unexpected error, it's due to VCSA specific bookmarking. To clean them up, simply recreate those shortcuts, it's all explained in detail in the following TinkerTry article.