How to replace your Windows 10 certificate so browser security warnings go away after replacing your VMware VCSA

Posted by Paul Braren on Mar 4 2018 (updated on Dec 5 2018) in
  • Virtualization
  • ESXi
  • HowTo
  • HomeLab
  • HomeServer
  • I recently bumped into an issue after a public demonstration of my home lab. After the successful day, I routinely replaced the VCSA appliance I had been messing around with by deleting the old one and installing a new one. I re-used the same DNS name, which for my home lab is vcsa.lab.local, avoiding the need to update my DNS server.

    Suddenly, using a browser to get to either of the UIs, the vSphere Web Client (Adobe Flash) or vSphere Client (HTML5), wouldn’t work. Even VAMI broke, and the main VCSA welcome page the allows easy certificate download. My browsers were trying to warn me that I was trying to connect to what they rightfully saw as an imposter. I've bumped into this conundrum before over the past fear years, of testing of dozens of beta versions. So off to Google I went, curious if there were clear-cut-articles out there with the resolution. I didn't find anything beside this KB 210894, so figured it's a great time for me to finally get my fix documented here, partly for my future self.

    If you work in a lab where you've already downloaded certificates into your system's "Trusted Root Certification Authorities" store to avoid those important but pesky red browser warnings everywhere, such as by following along with my TinkerTry article:

    and you later replace your VMware vCenter Server Appliance (VCSA) like I did, you'll also get those scary warnings. These warnings can't be bypassed, as listed/shown here for reference:

    1. Chrome

      Chrome-certificate-warning-Your-connection-is-not-private--TinkerTry
      Chrome

      Tested with version 64.0.3282.186
      (Official Build) (64-bit)

      Your connection is not private
      Attackers might be trying to steal your information from vcsa.lab.local (for example, passwords, messages, or credit cards). Learn more
      NET::ERR_CERT_INVALID

      Automatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy
      vcsa.lab.local normally uses encryption to protect your information. When Google Chrome tried to connect to vcsa.lab.local this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be vcsa.lab.local, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

      You cannot visit vcsa.lab.local right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

    2. Internet Explorer

      Internet-Explorer-certificate-warning-This-site-is-not-secure--TinkerTry
      Internet Explorer

      Tested with version 11.850.15063.0 (64-bit)

      This site is not secure

      This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

      Recommended iconClose this tab

      More information More information

      The website’s security certificate is not secure.
      Error Code: 0

    3. Microsoft Edge

      Edge-Browser-certificate-warning-This-site-is-not-secure--TinkerTry
      Microsoft Edge

      Tested with version 40.15063.674.0 (64-bit)

      This site is not secure

      This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.


      Go to your Start page
      Details

      The website’s security certificate is not secure.
      Error Code: 0

    4. Firefox Quantum

      Firefox-Browser-certificate-warning-Your-connection-is-not-secure--TinkerTry
      Firefox

      Tested with version 58.0.2 (64-bit)

      Your connection is not secure

      The owner of vcsa.lab.local has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

      Learn more…

      Report errors like this to help Mozilla identify and block malicious sites

      vcsa.lab.local uses an invalid security certificate.

      The certificate is not trusted because the issuer certificate is unknown.
      The server might not be sending the appropriate intermediate certificates.
      An additional root certificate may need to be imported.

      Error code: SEC_ERROR_UNKNOWN_ISSUER

      Add Exception...

    While replacing your vCenter/VCSA in the enterprise isn't exactly a common occurrence, it's much more commonplace in the home lab, testing different versions of VCSA or beta testing future versions.

    The fix I've documented here is fairly straightforward, tested on Windows 10 and VMware vSphere/VCSA 6.5U1f.

    Prerequisites

    These are the circumstances in my home lab:

    shortname
    • willingness to type in FQDN
      eg. https://vcsa.lab.local, not just https://vcsa
      (I create single-click taskbar shortcuts anyway)
    • stand-alone Windows in workgroup mode
      (not joined to Active Directory)
    • Administrative rights to Windows
    • VCSA 6.0 or later (I used 6.5U1f)

    Remove the old VCSA certificate, then download and install the new one. Here's how.

    The Fix

    Here's the step-by-step written instructions, with a walk-thru video below.

    Step 1) Delete the old VCSA certificate

    1. Press the Win+R key on your keyboard
    2. Type certlm.msc then press the "Enter" key
    3. When prompted by "User Account Control", click "Yes"
    4. Along the left, open the "Trusted Root Certification Authorities" and highlight the "Certificates" folder
    5. Look for a certificate that is Issued To and Issued By "CA" and double-click on it
    6. Select the "Details" tab
    7. Scroll down to "Subject" and look for something like "VMware Engineering, vcsa.lab.local" but with your vcsa server's name instead
    8. Click on the "Copy to File..." button, and save the certificate to your system's drive, just in case you ever need to import it again
    9. Click OK to exit the view of the Certificate
    10. With the Certificate you just inspected still highlighted, press Del on your keyboard and say Yes (to delete the certificate)

    Step 2) Delete All cookies and site data for your old VCSA appliance

    I detail the exact steps are detailed here:

    appify-your-vmware-vsphere-related-web-uis-using-chrome-for-windows

    Step 3) Install the new VCSA certificate

    I detail the exact steps are detailed here:

    how-to-get-rid-of-vsphere-browser-certificate-warnings-in-windows

    Step 4) Close Chrome, and kill all instances of Chrome.exe

    1. Close all copies of the browser you use for vSphere sysadmin, making sure to kill all copies using Task Manager if necessary, or logging off and back in again to be extra sure.

    Step 5) Test Remote Console

    Invalid-Security-Certificate-cropped
    Try opening up vSphere Client and launch a Remote Console to a powered-on VM, if you get this error, turn on the checkbox then click on "Connect Anyway"

    Step 6) Recreate Chrome shortcuts (optional)

    If you find any of your Taskbar shortcuts created in Chrome give an unexpected error, it's due to VCSA specific bookmarking. To clean them up, simply recreate those shortcuts, it's all explained in detail in the following TinkerTry article.

    appify-your-vmware-vsphere-related-web-uis-using-chrome-for-windows

    Step 5) Configure Firefox (optional)

    1. Click on the "Add Exception..." button
    2. Click on Confirm Security Exception

    Video

    Step-by-step, with explanations as I go:

    How to replace your Win 10 certificate so browser warnings go away after replacing your VMware VCSA

    See also at TinkerTry

    how-to-get-rid-of-vsphere-browser-certificate-warnings-in-windows

    Here's the current versions of VCSA and ESXi.

    easy-upgrade-to-vcsa-65u1f

    easy-update-to-latest-esxi

    See also

    monthly-security-patch-program-vcenter-server-appliance-vcsa

    farewell-vcenter-server-windows