TheVElement
VMware Employee
VMware Employee

There's actually a couple issues in the present version of Chrome that could keep the CIP/EAP from working. Building off what tim_841 and mateuszd have contributed, I was able to put together a set of instructions to work around these issues:

  1. Backup the following files:
    C:\ProgramData\VMware\CIP\csd\ssl\cert.der
    C:\ProgramData\VMware\CIP\csd\ssl\cert.pem
    C:\ProgramData\VMware\CIP\csd\ssl\server.pem
  2. Add the following to C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg file:
    CIP
    Add the following to the end of the [ req ] section:
    req_extentions = v3_req
    Add the following section and entry at the end of the file:
    [ v3_req ]

    subjectAltName = DNS:vmware-localhost

    EAP
    Add the following to the end of the [ req_req_extensions ] and [ req_x509_extensions ] sections:
    subjectAltName = @alt_names
    Add the following section and entry at the end of the file:
    [ alt_names ]
    DNS.1 = vmware-plugin
  3. Create a new Certificate Signing Request:
    CIP
    "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
    EAP
    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
  4. Sign the Certificate Signing Request:
    CIP
    "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions v3_req
    EAP
    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions req_x509_extensions
  5. Combine the new certificate and private key into the server.pem file:
    CIP/EAP
    copy /b C:\ProgramData\VMware\CIP\csd\ssl\cert.pem+C:\ProgramData\VMware\CIP\csd\ssl\key.pem C:\ProgramData\VMware\CIP\csd\ssl\server.pem
  6. Create the binary DER certificate:
    CIP
    "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
    EAP
    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
  7. Remove the vmware-localhost (CIP) or vmware-plugin (EAP) certificate from the Trusted Root Certification Authorities store for the Local Computer, and Import the new one we just made (C:\ProgramData\VMware\CIP\csd\ssl\cert.pem)
  8. Add the Friendly Name "VMware-CSD Cert" to the new vmware-localhost/vmware-plugin certificate
  9. Modify permissions for the new "cert.der", "cert.pem", and "server.pem":
    CIP
    C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F
    EAP
    C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r *S-1-5-11:R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

Some notes:

  1. Despite replacing the certificate, I could not get the EAP to work in IE or Edge, nor the CIP to work in Edge.
  2. If your vCenter connects to an external PSC, Chrome will still show the "Use Windows session authentication" option as disabled on vCenter, but will be available on the PSC. The reason is because of the same-origin security policy. I believe the official fix will utilize CORS so that this will not be an issue. There is a way to work around it, but I will not post it here as it can introduce a security vulnerability.
  3. For me, Firefox automatically had the CIP certificate added to its certificate store, I just had to restart the browser. For the EAP, I had to add a manual exception for https://vmware-plugin:8094 and restart the browser.
  4. This was tested on Windows 7 and 10 in Chrome 58, Firefox 53, IE 11, and Edge.