VMware Horizon and vCenter Server Certificate Issue

After upgrading the vCenter server for Horizon you may find that the vCenter Server tab on the dashboard of VMware Horizon Administrator would turn red and would present with a certificate issue. Upon checking the vCenter Server option under View Configuration tab you may get the message that the certificate is untrusted and will present you with an option to either accept or reject the certificate. Once we accept the certificate, we may get the message, “There was an error identifying the validity of the server”.

To fix the issue you can follow the below set of steps:

  1. Use a web browser that uses the operating certificate store on Windows (Such as Internet Explorer or Google Chrome).
  2. From the browser go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending the port numbers or ‘vsphere-client’ extension. For example: https://vcenter.domain.com/
  3. Direct URL to download the vCenter server certificate can also be used which is https://vCenter_FQDN/certs/download.zip
  4. Right Click the download trusted root CA certificate link at the bottom of the grey box on the right and select save link as. This will prompt you to download a file called ‘download.zip’.
  • The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  • Extract the contents of the ZIP file.
  • The result is a folder that contains two types of files. Files with a number as the extension (.0,.1 and so on) are root certificates. Files with an extension that starts with an r ( .r0,.r1 and so on) are CRL files associated with a certificate.

Next is to add the certificates on all the Connection Servers in VMware Horizon environment.

  1. RDP to the Connection server.
  2. Open the MMC Certificates Snap-in for Local Computer Account.
  3. Click Trusted Root Certificate Authority, Certificates folder and then Right Click > All Tasks >Import.
  4. In the Welcome Screen to the Certificate Import Wizard, Click Next.
  5. Browse and select the vCenter Certificates which you downloaded in the steps mentioned above.
  6. Select automatically select the certificate store based on the type of the certificate and click next.
  7. Complete the Certificate Import Wizard.
  8. The certificates should be imported to the root cert store successfully.
  9. After the process has been completed on all the connection servers, the servers need to be rebooted.
  10. Reboot the connection servers as per the KB: https://kb.vmware.com/s/article/2068381.
  11. Once the Connection server have been rebooted and services have been restarted verify the vCenter certificate in VMware Horizon Administrator Console.