In vSphere 6.0, you can now easily import your vCenter Server's trusted root CA certificate onto your client desktop by simply downloading it from the vCenter Server's landing page as shown in the screenshot below. Michael White had also recently wrote about this topic here which includes a step by step walk through.

automate-import-of-vcenter-server-root-certificate-3
Several weeks back I was working on an internal project which required the vCenter Server's root certificate. I was already aware of this interface and had written a quick and dirty script to automate the process of downloading and importing the certificate to the system I was working on. To be honest, I did not think much of the script after I wrote it. It was just recently that Alan Renouf, who was also involved in the project mentioned that it might be worth sharing the script as others might also find it useful. I thought that was a good idea and re-factored the code a bit since it was being used in a slightly different context. While doing so, I also created an equivalent PowerShell sample since the original script was meant to run on either a Mac OS X or Linux platform.

With that, I have created a simple shell script called import-vcrootcertificate.sh which can run on either Mac OS X or Linux system and a PowerShell script called Import-VCRootCertificate.ps1

Both scripts are pretty easy to use, they accept a single command-line argument which is the Hostname/IP Address of the vCenter Server that you wish to import the root certificate from. Both scripts ere able to detect if the vCenter Server is Windows or the VCSA since they have a slightly different URL to the root certificate before performing the import. Since the script will need access to your certificate store, you will need to run the scripts using a privileged account.

Here is a screenshot of running the PowerShell script:

automate-import-of-vcenter-server-root-certificate-0
Here is a screenshot of running the shell script:

automate-import-of-vcenter-server-root-certificate-2

9 thoughts on “Automating the import of vCenter Server 6.x root certificate

  1. Awesome. This will save me a lot of time in the future. I just had to redo my vcsa and was holding off updating the cert because I didn’t want to deal with it.

  2. I am unable to run the PowerShell script, it initially gives me the error message “Exception calling “DownloadFile” with “2” argument(s): “The given path’s format is not supported.”” Everything else then fails since it can’t find the certs.zip file. I have tried it on two different systems with the same result.

  3. am unable to run the PowerShell script, it initially gives me the error message “Exception calling “DownloadFile” with “2” argument(s): “The given path’s format is not supported.”” Everything else then fails since it can’t find the certs.zip file. I have tried it on two different systems with the same result.

    Looks like it’s missing the paramater in the function. I was able to run it after I added ([string]$VC_HOSTNAME) to the Function.

    Function Import-VCRootCertificate ([string]$VC_HOSTNAME){

  4. I’m getting a similar error to Ben and Ross. Unfortunately Ross’ fix didn’t work for me. I am running PowerShell version 5.

  5. Powershell 5.0 here as well, so not old. When I try Ross’s fix I get a different error:

    “Unable to connect to the remote server.”

  6. sudo ./import-vcrootcertificate.sh 192.168.x.x

    Downloading VC SSL Certificate to /tmp/cert.zip
    Importing to VC SSL Certificate to Certificate Store
    ./import-vcrootcertificate.sh: line 47: [: ==: unary operator expected
    Cleaning up, delete /tmp/cert.zip
    Cleaning up, delete /tmp/certs

    change
    if [ ${OS_TYPE} == “OSX” ]
    to
    if [ “${OS_TYPE}” == “OSX” ]

    tested on Linux/Debian

Thanks for the comment!