When configuring vCenter Server Identity Provider Federation, if you use a self-signed certificate, you must import the root CA certificate to the vCenter Server JRE truststore.

vCenter Server must connect to various endpoints on the AD FS server during both configuration and login. This process requires validation of the AD FS server certificate to establish the necessary HTTPS connections. Because this validation must be done in both the vSphere Client and vCenter Server, the Java JRE truststore is used to establish the HTTPS connections.

For production deployments, Microsoft requires you to use publicly trusted AD FS SSL Certificate Authority certificates. As a result, vCenter Server Identity Provider Federation expects you to use a publicly trusted Certificate Authority (CA) certificate. If you use certificates signed by publicly trusted Certificate Authorities, the vCenter Server JRE truststore is already pre-loaded with these well-known Certificate Authorities, and the HTTPS connection succeeds automatically.

In general, for production environments, use CA-generated certificates. Use self-signed certificates only for non-production or test environments.

Prerequisites

Procedure

  1. Upload the root CA certificate to vCenter Server using an SFTP client such as WinSCP.
  2. Log in to the vCenter Server shell as root.
  3. Change to the /usr/java/jre-vmware/bin/ directory.
  4. To import the certificate, run the keytool command.
    keytool -import -trustcacerts -file certificate -alias alias -keystore $VMWARE_JAVA_HOME/lib/security/cacerts -storepass changeit

    Where certificate is the relative path to the uploaded certificate file.

  5. View the certificate.
    keytool -list -v -keystore $VMWARE_JAVA_HOME/lib/security/cacerts
  6. Restart the vsphere-ui service.
    service-control --stop vsphere-ui
    service-control --start vsphere-ui
  7. Restart the trustmanagement service.
    service-control --start vmware-trustmanagement
  8. Restart the STS service.
    service-control --start vmware-stsd
  9. Disable SSH login to vCenter Server.