VMWare Certificates

VMware uses certification to ensure secure SSL communication between the vCenter components and the ESXi nodes.

If the vCenter uses an untrusted or invalid certificate, "Could not establish trust relationship for the SSL/TLS secure channel with authority" errors can occur when attempting to connect to the ESXi nodes.

When running the PowerCLI Connect-ViServer command in our VMware scripts, this error can occur and it can result in an Unknown error recorded against the script in its Dashboard More Information section.

Use one of the following options to alleviate the issue:

Option 1: Import the VMware Certificate Authority (VMCA) root certificate

VMCA uses self-signed certificates that are automatically generated as part of the ESXi installation process. To add these certificates to the Windows Trusted Root Certificate Authorities store:

  1. Launch a browser
  2. Navigate to https://<vCenter Server>/ and click Download trusted root CA certificates or go to https://<vCenter Server>/certs/download.zip to download the certificate
  3. Extract the downloaded ZIP file
  4. Double-click the .CRT file and use the wizard to import the certificate into the Windows Trusted Root Certificate Authorities store

Option 2: Replace the default certificates with CA-signed SSL certificates

Although VMCA certificates are installation unique, they are not verifiable or signed by a trusted certification authority (CA), and they may not comply with your organization’s security policy.

To create a CA-signed SSL certificate:

  1. Generate a Certificate Signing Request (CSR) in the vSphere Certificate Manager
  2. Submit the request to your enterprise CA or to an external certificate authority for signing
  3. Replace the self-signed certificates with the CA-signed versions

As CA-signed certificates expire, we recommend you put in place a process to manage all certificates used by VMware.

Option 3: Use Set-PowerCLIConfiguration to ignore invalid certificates (not recommended)

There are two options to ignore invalid certificates:

  1. Option 1 (Advanced RBM must be enabled):
    1. On the N-sight RMM Dashboard North-pane, right-click the device with the failing ESXi check and select Remote Background > Advanced
    2. When prompted, enter the password you used to sign into N-sight RMM
    3. When you are connected, click the action menu (â‹®) and select Start Interactive Powershell (BETA)
    4. Run the following commands:

      Import-Module VMware.PowerCLI

      Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

  2. Option 2:
    1. Open PowerCLI on the desktop of the affected device

    2. Run the following command:

      Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -scope AllUsers -Confirm:$false

Further information

For more information about VMware, see the following: