How to import your VCSA certificate so ALL VMware vSphere browser security warnings go away in Windows 10

Posted by Paul Braren on Apr 26 2017 (updated on Jan 31 2020) in
  • Virtualization
  • ESXi
  • HowTo
  • HomeLab
  • HomeServer
  • You can free up tons of vertical real-estate when doing your day-to-day vSphere sysadmin by hiding the URLs and tabs and dead space in Chrome, see:

    certificate-warnings-chrome-and-edge

    The thing is, home-lab friendly browser features such as (insecure) password saving don't work once Chrome, or other browsers, have that intentionally nasty red X certificate warning mode, prompting you to bypass before even showing you the suspect page. Won't you feel better getting rid of those warnings, once and for all? Yes, this method even works for the vSphere Web Client (Flash) and the VMware Host Client/vSphere Client (HTML5), and leverages the certificate authority baked right into VCSA! Now you know why FQDN and DNS is so important for VCSA, eh?

    It's easy, just one certificate to import into your Windows 10 system-wide "Trusted Root Certification Authorities" store. Video details the simple procedure below.

    Prerequisites

    These are the circumstances in my home lab, where I recorded this short video:

    shortname

    If you meet these prerequisites, great, this video will show you exactly how easy this is!
    If not, or if you use Firefox, read VMware KB 2108294 for guidance, see also comment below.

    Video

    Step-by-step, with explanations as I go:

    How to import the VCSA certificate so VMware vSphere browser security warnings go away in Windows 10

    Instructions - visual

    What I like about this is that it's a do it once thing, and you'll likely never forget it. Nice that the certificate doesn't expire for 10 years too ;)

    If you get this error when attempting to log in to your VCSA appliance from chrome:

    Your connection is not private
    Attackers might be trying to steal your information from vcsa.lab.local (for example, passwords, messages, or credit cards). Learn more
    NET::ERR_CERT_AUTHORITY_INVALID

    it's easiest to cut over to Firefox, and follow the rest of the below steps from there.

    2017-05-01_22-06-00
    open Edge Brower, type in the FQDN for your VCSA then press enter, when warned, click 'Details'.

     

    2017-05-01_22-06-59
    click on 'Go on to the webpage'.

     

    2017-05-01_22-09-24
    click on 'Download trusted root CA certificates'

     

    2017-05-01_22-10-22
    click 'Open'

     

    2017-05-01_22-11-42
    double-click 'certs' folder

     

    2017-05-01_22-12-38
    double-click 'win' folder

     

    2017-05-01_22-14-11
    double-click 'filename.0.crt' (your exact filename will vary

     

    2017-05-01_22-15-21
    click 'Open'

     

    2017-05-01_22-16-21
    click 'Install Certificate...'

     

    2017-05-01_22-19-55
    click 'Local Machine' then click 'Next'
    2017-05-01_22-21-10
    when prompted by UAC, click 'Yes'

     

    2017-05-01_22-22-27
    select 'Place all certificates in the following store' then click 'Browse...'

     

    2017-05-01_22-24-05
    select 'Trusted Root Certification Authorities' then click 'OK'

     

    2017-05-01_22-25-16
    click 'Next'

     

    2017-05-01_22-26-12
    click 'Finish'

     

    2017-05-01_22-26-58
    click 'OK

     

    2017-05-01_22-28-31
    click 'OK', you're done!

     
    Now test it.

    1. close Edge Browser
    2. close Chrome
    3. open Chrome
    4. if Chrome still shows certificate warnings, close it again, and use Task Manager's 'Processes' Tab to to kill all chrome.exe instances, then open Chrome again to retest
    5. if you're looking to fix Firefox, see VMware's guidance here.
    6. that's it, enjoy the happy green padlock for the next 10 years!

    Jan 31 2020 Update

    Great info in this @lamw tweet, here's an excerpt:

    PSA: If you’ve upgraded to latest version of Chrome & having issues logging into vSphere Client w/ "NET::ERR_CERT_REVOKED”, you need “ghost type” on that page “thisisunsafe” to bypass

    And here's the Google Support comment he refers to:

    Abhaas Sood 12/6/19
    This solution really works.

    "Here's the fix!!! As of 10/21/19 the bypass word is "thisisunsafe"

    Once you get to the page that says "Your connection is not private" click somewhere on the page and then blindly type the following thisisunsafe

    This will instantly bypass the warning. Please don't do this on sites you don't trust."

    I am just surprised how do people even find these kind of solutions.

    thisisunsafe

    See also at TinkerTry

    how-to-replace-your-windows-10-certificate-so-browser-security-warnings-go-away-after-replacing-your-vmware-vcsa

    See also

    2108294