VMware Cloud Community
eksip2
Contributor
Contributor

How to install vCenter Server root certificates on Ubuntu

I am using Ubuntu GUI and Chrome browser to connect to vCenter.

I see the error that my connection may not be private:

Your connection is not private

Attackers might be trying to steal your information from 192.168.2.123 (for example, passwords, messages or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

This article has no instructions on how to install certificates on Linux machines: VMware Knowledge Base
I downloaded the vCenter certificates to Ubuntu.
First I tried to move the certificate "dbad4059.0.crt" from window folder to

usr/local/share/ca-certificates/ and run the command: sudo update-ca-certificates

it did not work.

After I moved, the certificate from lin folder to usr/local/share/ca-certificates/ and run the command: sudo update-ca-certificates

Also with no success.

Please advice me what should I do to install vCenter certificates on Ubuntu machine.

Thank you.

Reply
0 Kudos
5 Replies
Lalegre
Virtuoso
Virtuoso

Hey eksip2,

Try this: https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate (It is similar on how you did it but also have some additional steps)

And check in this file if the path has been reflected: /etc/ca-certificates.conf

Reply
0 Kudos
eksip2
Contributor
Contributor

Thank you Laregre

I tried the link but it did not work. I tried on my local ubuntu, and on virtual ubuntu server (were I installed GU)

Here are the commands I run on

https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

root@lab1:/home/lab1/Downloads/download/certs/win# ls

dbad4059.0.crt  dbad4059.r0.crl

root@lab1:/home/lab1/Downloads/download/certs/win# cp dbad4059.0.crt /usr/share/ca-certificates/extra/

root@lab1:/home/lab1/Downloads/download/certs/win# cd /usr/share/ca-certificates/extra

root@lab1:/usr/share/ca-certificates/extra# ls

dbad4059.0.crt

root@lab1:/usr/share/ca-certificates/extra# sudo dpkg-reconfigure ca-certificates

Updating certificates in /etc/ssl/certs...

1 added, 0 removed; done.

Processing triggers for ca-certificates (20190110ubuntu1.1) ...

Updating certificates in /etc/ssl/certs...

0 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...

done.

root@lab1:/usr/share/ca-certificates/extra# update-ca-certificates

Updating certificates in /etc/ssl/certs...

0 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...

done.

root@lab1:/usr/share/ca-certificates/extra#

root@lab1:/usr/share/ca-certificates/extra# less /etc/ca-certificates.conf

la/VeriSign_Universal_Root_Certification_Authority.crt

mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt

mozilla/XRamp_Global_CA_Root.crt

mozilla/certSIGN_ROOT_CA.crt

mozilla/ePKI_Root_Certification_Authority.crt

mozilla/thawte_Primary_Root_CA.crt

mozilla/thawte_Primary_Root_CA_-_G2.crt

mozilla/thawte_Primary_Root_CA_-_G3.crt

extra/dbad4059.0.crt   #this line indicates thatvCenter certificate was added to ca-certificates.conf

as it was mention here https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

#this is a lab envirnomen and this is how the certificate looks like

oot@lab1:/usr/share/ca-certificates/extra# cat dbad4059.0.crt

-----BEGIN CERTIFICATE-----

MIIECzCCAvOgAwIBAgIJAOVFQJ3o+FTMMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD

VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ

FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNV

BAoMCWxvY2FsaG9zdDEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIw

MDcyMDEzNDAyM1oXDTMwMDcxODEzNDAyM1owgZAxCzAJBgNVBAMMAkNBMRcwFQYK

CZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYD

VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UECgwJbG9jYWxob3N0

MRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEBAQUA

A4IBDwAwggEKAoIBAQC/QkcJNHMxKlUr2EJRZx42YsISn8L7FssxFS2f6ppjTvt8

i4kDdLKbBQN2SbSX8FeBYneRyLMOlnZO0Hqp0qXFS6rKkjyebJSoL4Be+sPBam2M

vFmlANwfYwUWKk/hnpn5QB0scbZEJrIodAc2JRNMjJC1WUwD62OnbwNllkv4CdGl

uIJiQbk9BOFpbbvb/vJDyFgJbSB2DlX3iKJ3D9Kq7YBtIyG+iWd3CH5ST6Ae4AOL

25dIzT7XVVehkfm8gRbUslRQd+8o0JM3anh4GOuzMs5NbcH6VDRKDnZbKCoNU546

Hkg578mo3jtyNWS7OqyBPQT0RUyRgDSpaB/9lBMJAgMBAAGjZjBkMB0GA1UdDgQW

BBQMYccCS2z3eMRfSqqatMGmcVL8SjAfBgNVHREEGDAWgQ5lbWFpbEBhY21lLmNv

bYcEfwAAATAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkq

hkiG9w0BAQsFAAOCAQEAs88XR2vKfX41m3sstxY6xaovMHOj7A1bTtbjVGKe0iBa

AoCx4QZRMMjYf+JHXovpoDEFypexSetViYB31zT/5I/8nLDFvKrZ4fkOUQqZqrPU

g3JET29uOlR+wLQ6eodEgNGO4lReSrNWxETNr3bCtWEqwUO29dlSkceMO7xsMWqY

SHPlfM99AM7EUukK7Jwv1mqsSGkg/EnDwwbPxqRn8JktUPHdHCheKBbq2AGAf7WS

1vQO5DN9eDzBAFxOr20KkbTf6a1wG2DkM4lFs9PC56mAnYRGAP+AbWkn/yABmaBX

QHhHSJE6XR98dVQFxrHNZKeYrm5ssx7Quw81/RJMEg==

-----END CERTIFICATE-----

root@lab1:/usr/share/ca-certificates/extra# less /etc/ca-certificates.conf

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

Hey eksip2​,

I would like to know something. Is this certificate a self-signed one or a custom CA one. From the download.zip you only get two files or more than those?

Also assuming for your extract you are using Firefox for browsing vCenter Server. There is a known issue regarding using this browser than can be fixed following this procedure: https://ivobeerens.nl/2018/02/13/firefox-not-trusts-vcenter-ca-signed-certificates/

Let us knot how it goes!

Reply
0 Kudos
eksip2
Contributor
Contributor

Hello Lalegre,

Thank you for your reply. I was able to install vCenter certificates on Firefox and in Firefox the connections is shown as secure now.

Now I am trying to install vCenter certificates on Ubuntu to fix the security warning on Chrome as well.

Your question: I would like to know something. Is this certificate a self-signed one or a custom CA one?

I did not add any additional ssl certificates to vCenter. I am using certificates which can be exported from vCenter by default.

download.zip files has two files in each folder (win, lin, mac)

Thanks for your help.

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

Hello eksip2​,

Quick question, does your self-signed certificate from vCenter contains the FQDN in the Subject Alternative Name? If it does not contain it will not be trusted by Chrome. This validation was applied on the Chrome version 58.

If you get the next error during the cert validation on Chrome then that is your issue: NET::ERR_CERT_COMMON_NAME_INVALID

Of course you can bypass the validations of SSL but this will be applied at browser level and you should not do that because it will be applied to all the sites.

If you really want that i would recommend you to generate a new SSL Certificate (Custom or Self-Signed) but adding the SAN to it.

Reply
0 Kudos