Re: How to download VMCA on ESXi 6 U1

jetberrocal · ‎10-01-2016

I need to get the Vmware Installer CA to load it in my CA store so I dont have the privacy error on my browsers.

I found this:

How to download and install vCenter Server root certificates to avoid Web Browser certificate warnin...

But it seems that does not apply for my case. I do not see the link described on the KBA.

This is what I have when I browse to the ESXi Web Host:

Please advice.

Mattallford · ‎10-01-2016

‌In your screenshot, you are browsing to the ESXi host, not the vCenter server.

Browse to th IP address / FQDN of your vCenter server and you should be able to follow the instructions.

Cheers, Matt.

VCP6-DCV | VCAP6-DCV Deploy @mattallford If you found my answers useful, please help me by marking them as Helpful or Correct!

jetberrocal · ‎10-03-2016

Matt:

I do not have a vCenter Server just the ESXi Server.

How to download or obtain the VMCA in the ESXi Server without a vCenter Server?

Mattallford · ‎10-03-2016

VMCA is a component of the Platform Services Controller, so nothing to do with an individual ESXi host.

If you don't have vCenter Server, the certificate on the ESXi host will be self signed. I believe you should be able to download the self signed cert via the web browser and then import it into the CA on your windows machine. Or you can manually issue a trusted SSL cert from an internal CA and install this onto the ESXi host.

VCP6-DCV | VCAP6-DCV Deploy @mattallford If you found my answers useful, please help me by marking them as Helpful or Correct!

jetberrocal · ‎10-04-2016

Then I need to get the Self-sign CA for the VMware Installer. Where and how to get it?

This the ESXi Certificate:

The ESXi Certificate is issued by VMware Installer.

I need the VMware Installer CA.

Mattallford · ‎10-04-2016

You need to download the self signed certificate and then install it into the certificate store on your machine.

Go to the 'details' tab on the screenshot you have and you should then be able to 'copy to file' to save the certificate. You then need to import is using steps similar to the below (start from step 2)

https://pubs.vmware.com/flex-1/index.jsp?topic=%2Fcom.vmware.horizon.flex.admin.doc%2FGUID-4F29CCE6-...‌

Cheers, Matt.

VCP6-DCV | VCAP6-DCV Deploy @mattallford If you found my answers useful, please help me by marking them as Helpful or Correct!

jetberrocal · ‎10-04-2016

Exporting the ESXi certificate is not the same as getting the VMware Installer CA. Installing the ESXi Certificate in the Trusted Root does not work to certify itself.

I need the VMware Installer Certificate (self-sign) to install it in the Trusted Root. Where do I get it?

eduardomozart · ‎03-10-2023

Hello,

I'd found the same issue. I do not know why, but the "/etc/vmware/ssl/castore.pem" file (which stores the CA public certificate) from 6.0 U3 was empty on my instance (I suspect it was deleted or changed on the past) and running the command "/sbin/generate-certificates" only recreates the server cert, not the CA cert (it was still empty). Opening the file "/bin/generate-certificates" with the "vi" editor, I discovered that it was hardcoded to create the CA cert and it's private key to a temp directory, issue the server cert with it and them exclude the CA cert and it's private key. Only the server cert and it's private key was available on "/etc/vmware/ssl" folder. I was able to recreate the CA cert and keep the private key running the following commands:

ln -s /bin/generate-certificates /bin/generate-certificates.sh
/sbin/generate-certificates.sh gen-ca-cert gen-cert
cat /etc/vmware/ssl/ca.crt > /etc/vmware/ssl/castore.pem

All

How to download VMCA on ESXi 6 U1