VxRail: How to make a browser trust the VxRail Manager Certificate

By default, after VxRail cluster initial configuration, the VxRail Manager certificate is self-signed without a public CA. It is not recognized by the browser as a trusted certificate. This blocks the connection between CloudIQ Webapp and the VxRail Manager.

This article provides several options to make a browser trust the VxRail Manager certificates.

1. Public CA issued Certificate.

The well-known public CA (Certificate Authorities) certificates are installed in the browser as part of the browser installation.

If the VxRail Manager certificate is signed by a public CA, the certificate is trusted by the browser automatically, no manual operation is needed.

y. Company CA issued Certificate.

If the organization manages the company owned CA, and VxRail Manager certificate is signed by the company CA, the user must import the company root CA certificate into the browser as a Trusted Root Certification Authority. This makes all company CA signed VxRail manager certificates trusted by the browser.

If the company is using an intermediate CA to sign VxRail manager certificates, then the intermediate CA certificates must be also imported into the browser as a trusted Intermediate Certification Authority.

3. VxRail self-signed Certificate

If VxRail manager is still using a self-signed certificate (which is not recommended), check KB 000194174 to ensure the VxRail manager certificate is valid. In order to make the browser trust VxRail Manager certificate, the user has to import EVERY individual VxRail Manager certificate into the browser as a Trusted Root Certification Authority.

Note: If the current VxRail manager certificate does not meet any of the conditions above, follow VxRail plugin "Certificate Management" page in vCenter to update the VxRail manager certificate. Then follow the suggested operation to make the browser trust the VxRail manager certificate.

As part of CloudIQ Intelligent Management Systems feature, below operations may handle credential data:

• HCI Settings: Admin - HCI page, Enable vCenter Access, or Manage Credentials.
• Run system update for VxRail systems: Health - System Updates - HCI (tab) page, run UPDATE task for VxRail systems.

Due to security concerns, when performing these operations, CloudIQ Webapp in the browser must be on the same network with VxRail Manager for direct HTTPS connection. 

This requires the browser to be able to trust all certificates of the VxRail Manager for each VxRail system that a user can access.