How to replace your Windows 10 certificate so browser security warnings go away after replacing your VMware VCSA
I recently bumped into an issue after a public demonstration of my home lab. After the successful day, I routinely replaced the VCSA appliance I had been messing around with by deleting the old one and installing a new one. I re-used the same DNS name, which for my home lab is vcsa.lab.local
, avoiding the need to update my DNS server.
Suddenly, using a browser to get to either of the UIs, the vSphere Web Client (Adobe Flash) or vSphere Client (HTML5), wouldn’t work. Even VAMI broke, and the main VCSA welcome page the allows easy certificate download. My browsers were trying to warn me that I was trying to connect to what they rightfully saw as an imposter. I've bumped into this conundrum before over the past fear years, of testing of dozens of beta versions. So off to Google I went, curious if there were clear-cut-articles out there with the resolution. I didn't find anything beside this KB 210894, so figured it's a great time for me to finally get my fix documented here, partly for my future self.
If you work in a lab where you've already downloaded certificates into your system's "Trusted Root Certification Authorities" store to avoid those important but pesky red browser warnings everywhere, such as by following along with my TinkerTry article:
and you later replace your VMware vCenter Server Appliance (VCSA) like I did, you'll also get those scary warnings. These warnings can't be bypassed, as listed/shown here for reference:
-
Chrome
Tested with version 64.0.3282.186
(Official Build) (64-bit)Your connection is not private
Attackers might be trying to steal your information from vcsa.lab.local (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_INVALIDAutomatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy
vcsa.lab.local normally uses encryption to protect your information. When Google Chrome tried to connect to vcsa.lab.local this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be vcsa.lab.local, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.You cannot visit vcsa.lab.local right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.
-
Internet Explorer
Tested with version 11.850.15063.0 (64-bit)
This site is not secure
This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.
Recommended iconClose this tab
More information More information
The website’s security certificate is not secure.
Error Code: 0 -
Microsoft Edge
Tested with version 40.15063.674.0 (64-bit)
This site is not secure
This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.
Go to your Start page
DetailsThe website’s security certificate is not secure.
Error Code: 0 -
Firefox Quantum
Tested with version 58.0.2 (64-bit)
Your connection is not secure
The owner of vcsa.lab.local has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Learn more…
Report errors like this to help Mozilla identify and block malicious sites
vcsa.lab.local uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.Error code: SEC_ERROR_UNKNOWN_ISSUER
Add Exception...
While replacing your vCenter/VCSA in the enterprise isn't exactly a common occurrence, it's much more commonplace in the home lab, testing different versions of VCSA or beta testing future versions.
The fix I've documented here is fairly straightforward, tested on Windows 10 and VMware vSphere/VCSA 6.5U1f.
Prerequisites
These are the circumstances in my home lab:
- willingness to type in FQDN
eg. https://vcsa.lab.local, not just https://vcsa
(I create single-click taskbar shortcuts anyway) - stand-alone Windows in workgroup mode
(not joined to Active Directory) - Administrative rights to Windows
- VCSA 6.0 or later (I used 6.5U1f)
Remove the old VCSA certificate, then download and install the new one. Here's how.
The Fix
Here's the step-by-step written instructions, with a walk-thru video below.
Step 1) Delete the old VCSA certificate
- Press the
Win+R
key on your keyboard - Type
certlm.msc
then press the "Enter" key - When prompted by "User Account Control", click "Yes"
- Along the left, open the "Trusted Root Certification Authorities" and highlight the "Certificates" folder
- Look for a certificate that is Issued To and Issued By "CA" and double-click on it
- Select the "Details" tab
- Scroll down to "Subject" and look for something like "VMware Engineering, vcsa.lab.local" but with your vcsa server's name instead
- Click on the "Copy to File..." button, and save the certificate to your system's drive, just in case you ever need to import it again
- Click OK to exit the view of the Certificate
- With the Certificate you just inspected still highlighted, press Del on your keyboard and say Yes (to delete the certificate)
Step 2) Delete All cookies and site data for your old VCSA appliance
I detail the exact steps are detailed here:
Step 3) Install the new VCSA certificate
I detail the exact steps are detailed here:
- How to import your VCSA certificate so ALL VMware vSphere browser security warnings go away in Windows 10
Apr 26 2017
Step 4) Close Chrome, and kill all instances of Chrome.exe
- Close all copies of the browser you use for vSphere sysadmin, making sure to kill all copies using Task Manager if necessary, or logging off and back in again to be extra sure.
Step 5) Test Remote Console
Step 6) Recreate Chrome shortcuts (optional)
If you find any of your Taskbar shortcuts created in Chrome give an unexpected error, it's due to VCSA specific bookmarking. To clean them up, simply recreate those shortcuts, it's all explained in detail in the following TinkerTry article.
Step 5) Configure Firefox (optional)
- Click on the "Add Exception..." button
- Click on Confirm Security Exception
Video
Step-by-step, with explanations as I go:
See also at TinkerTry
- How to import your VCSA certificate so ALL VMware vSphere browser security warnings go away in Windows 10
Apr 26 2017
Here's the current versions of VCSA and ESXi.
- How to update any VMware ESXi Hypervisor to the latest using ESXCLI for easy download and install
Updated with each new release.
See also
- Monthly Security Patch Program for the vCenter Server Appliance
Sep 22 2017 by Charu Chaubal at VMware Blogs
- Farewell, vCenter Server for Windows
Aug 25 2017 by Martin Yip at VMware Blogs