This document shows how to get the root certificate for your vCenter server.
When a client, like Anthos clusters on VMware (GKE on-prem), sends a request to your vCenter server, the server must prove its identity to the client by presenting a certificate or a certificate bundle. To verify the certificate or bundle, Anthos clusters on VMware must have the root certificate in the chain of trust.
When you fill in an
admin workstation configuration file,
you provide the path of the root certificate in the
Your VMware installation has a certificate authority (CA) that issues a certificate to your vCenter server. The root certificate in the chain of trust is a self-signed certificate created by VMware.
If you do not want to use the VMWare CA, which is the default, you can configure VMware to use a different certificate authority.
If your vCenter server uses a certificate issued by the default VMware CA, download the certificate as follows:
curl -k "https://[SERVER_ADDRESS]/certs/download.zip" > download.zip
Replace [SERVER_ADDRESS] with the address of your vCenter server.
unzip command and unzip the certificate file:
sudo apt-get install unzip unzip download.zip
If the unzip command doesn't work the first time, enter the command again.
Find the certificate file and a revocation file in
certs/lin. For example:
In the preceding example,
457a65e8.0 is the certificate file, and
457a65e8.r0 is the revocation file.
You can rename the certificate file to any name of your choice. The file
extension can be
.pem, but it doesn't have to be
For example, suppose you rename the certificate file to
View the contents of
The output shows the base64-encoded certificate. For example:
-----BEGIN CERTIFICATE----- MIIEGTCCAwGgAwIBAgIJAPW1akYrS5L6MA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGTAXBgNV ... 0AaWpaT9QCTS31tbBgBYB1W+IS4qeMK5dz5Tko5460GgbSNLuz5Ml+spW745RbGA 76ePS+sXL0WYqZa1iyAb3x8E3xn5cVGtJlxXu4PkJa76OtdDjqWAlqkNvVZB -----END CERTIFICATE-----
View the decoded certificate:
openssl x509 -in vcenter-ca-cert.pem -text -noout
The output shows the decoded certificate For example:
Certificate: Data: Version: 3 (0x2) Serial Number: f5:b5:6a:46:2b:4b:92:fa Signature Algorithm: sha256WithRSAEncryption Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = uphc-vc01.anthos, OU = VMware Engineering Validity ... Subject: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = uphc-vc01.anthos, OU = VMware Engineering Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:e0:39:28:9d:c1:f5:ac:69:04:3f:b0:a0:31:9e: 89:0b:6e:f7:1e:2b:3b:94:ac:1c:47:f0:52:2e:fa: 6d:52:2c:de:66:3e:4e:40:6a:58:c7:cc:99:46:81: ... 5c:d6:a9:ab:a9:87:26:0f:d2:ef:9e:a1:61:3d:38: 18:bf Exponent: 65537 (0x10001) X509v3 extensions: ... Signature Algorithm: sha256WithRSAEncryption 58:24:57:36:a4:66:fa:16:e1:82:b1:ee:a7:1a:77:db:77:6c: 0a:b7:2e:7a:11:ca:0b:38:21:d2:d2:ab:3c:30:82:3f:ae:22: ... ad:26:5c:57:bb:83:e4:25:ae:fa:3a:d7:43:8e:a5:80:96:a9: 0d:bd:56:41
Copy your certificate file to a location of your choice.
Then when you need to provide a value for
caCertPath in a configuration file,
enter the path of your certificate file.
For example, in your admin workstation configuration file:
gcp: ... vCenter: ... caCertPath: "/path/to/vcenter-ca-cert.pem"