VMWare Certificates
VMware uses certification to ensure secure SSL communication between the vCenter components and the ESXi nodes.
If the vCenter uses an untrusted or invalid certificate, "Could not establish trust relationship for the SSL/TLS secure channel with authority" errors can occur when attempting to connect to the ESXi nodes.
When running the PowerCLI Connect-ViServer command in our VMware scripts, this error can occur and it can result in an Unknown error recorded against the script in its All Devices view More Information section.
Use one of the following options to alleviate the issue:
Option 1: Import the VMware Certificate Authority (VMCA) root certificate
VMCA uses self-signed certificates that are automatically generated as part of the ESXi installation process. To add these certificates to the Windows Trusted Root Certificate Authorities store:
- Launch a browser
- Navigate to
https://<vCenter Server>/
and click Download trusted root CA certificates or go tohttps://<vCenter Server>/certs/download.zip
to download the certificate - Extract the downloaded ZIP file
- Double-click the .CRT file and use the wizard to import the certificate into the Windows Trusted Root Certificate Authorities store
Option 2: Replace the default certificates with CA-signed SSL certificates
Although VMCA certificates are installation unique, they are not verifiable or signed by a trusted certification authority (CA), and they may not comply with your organization’s security policy.
To create a CA-signed SSL certificate:
- Generate a Certificate Signing Request (CSR) in the vSphere Certificate Manager
- Submit the request to your enterprise CA or to an external certificate authority for signing
- Replace the self-signed certificates with the CA-signed versions
As CA-signed certificates expire, we recommend you put in place a process to manage all certificates used by VMware.
Option 3: Use Set-PowerCLIConfiguration to ignore invalid certificates (not recommended)
There are two options to ignore invalid certificates:
- Option 1 (Advanced RBM must be enabled):
- On the All Devices view North-pane, right-click the device with the failing ESXi check and select Remote Background > Advanced
- When prompted, enter the password you used to sign into N-sight RMM
- When you are connected, click the action menu (â‹®) and select Start Interactive Powershell (BETA)
- Run the following commands:
Import-Module VMware.PowerCLI
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false
- Option 2:
Open PowerCLI on the desktop of the affected device
- Run the following command:
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -scope AllUsers -Confirm:$false
Further information
For more information about VMware, see the following: