vCenter certificate validation

The connection of the VMware plugin to the vCenter server always uses HTTPS so that communication is secured. However, to fully secure this communication, the best practice is to also enable certificate validation for the vCenter server certificate.

The process below forces the plugin to verify the server certificate. To verify the certificate, it must either be signed by a well-known public Certificate Authority, or the server certificate to trust must be provided in the configuration.

  1. To configure the certificate verification, you must obtain the certificate of the vCenter server in PEM format. To obtain the certificate, do either of the following:
    • Use your browser to export the certificate to the PEM format and store it on your local system.

      You can do this by opening the vCenter UI and use the standard browser capabilities to view the certificate details and export the certificate. The exact procedure depends on which browser you use and can be found in the documentation for browser.

    • Use the vCenter API to fetch the TLS details of the server and use the "cert" field of the output.

      For more details about the API, check the documentation for the vCenter Server version. For example, for version v7.0u3, see https://developer.vmware.com/apis/vsphere-automation/v7.0U3/vcenter/api/vcenter/certificate-management/vcenter/tls/get/

  2. Update the Connect Deployment configuration for the vCenter and update the following two settings:
    • Tls Verify: set this field to "true".
    • Certificate: provide the certificate PEM content here, starting with the -----BEGIN CERTIFICATE----- and ending with the -----END CERTIFICATE----- text
After you have made these changes, the vCenter plugin will start validating the certificate of vCenter and will fail the connection if the vCenter certificate does not match the provided details. An alarm will be raised in case there is a connectivity issue.