[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-08-31 (世界標準時間)。"],[],[],null,["This document shows how to get the root certificate for your vCenter server.\nThis page is for IT administrators and Operators who manage the\nlifecycle of the underlying tech infrastructure. To learn more about common\nroles and example tasks that we reference in Google Cloud content, see\n[Common GKE user roles and tasks](/kubernetes-engine/enterprise/docs/concepts/roles-tasks).\n\nWhen a client, like Google Distributed Cloud, sends a request to your\nvCenter server, the server must prove its identity to the client by presenting\na certificate or a certificate bundle. To verify the certificate or bundle,\nGoogle Distributed Cloud (software only) for VMware must have the root certificate in\nthe chain of trust.\n\nWhen you fill in an\n[admin workstation configuration file](/kubernetes-engine/distributed-cloud/vmware/docs/how-to/admin-workstation-configuration-file),\nyou provide the path of the root certificate in the `vCenter.caCertPath` field.\n\nYour VMware installation has a certificate authority (CA) that issues a\ncertificate to your vCenter server. The root certificate in the chain of trust\nis a self-signed certificate created by VMware.\n\nIf you do not want to use the VMWare CA, which is the default, you can configure\nVMware to\n[use a different certificate authority](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-3D0DE463-D0EC-442E-B524-64759D063E25.html).\n\nIf your vCenter server uses a certificate issued by the default VMware CA,\ndownload the certificate as follows:\n\n```\ncurl -k \"https://[SERVER_ADDRESS]/certs/download.zip\" \u003e download.zip\n```\n\nReplace \u003cvar translate=\"no\"\u003e[SERVER_ADDRESS]\u003c/var\u003e with the address of your vCenter server.\n\nInstall the `unzip` command and unzip the certificate file:\n\n```\nsudo apt-get install unzip\nunzip download.zip\n```\n\nIf the unzip command doesn't work the first time, enter the command again.\n\nFind the certificate file and a revocation file in `certs/lin`. For example:\n\n```\n457a65e8.0\n457a65e8.r0\n```\n\nIn the preceding example, `457a65e8.0` is the certificate file, and\n`457a65e8.r0` is the revocation file.\n\nYou can rename the certificate file to any name of your choice. The file\nextension can be `.pem`, but it doesn't have to be `.pem`.\n\nFor example, suppose you rename the certificate file to `vcenter-ca-cert.pem`.\n\nView the contents of `vcenter-ca-cert.pem`:\n\n```\ncat vcenter-ca-cert.pem\n```\n\nThe output shows the base64-encoded certificate. For example:\n\n```\n-----BEGIN CERTIFICATE-----\nMIIEGTCCAwGgAwIBAgIJAPW1akYrS5L6MA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD\nVQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ\nFgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGTAXBgNV\n...\n0AaWpaT9QCTS31tbBgBYB1W+IS4qeMK5dz5Tko5460GgbSNLuz5Ml+spW745RbGA\n76ePS+sXL0WYqZa1iyAb3x8E3xn5cVGtJlxXu4PkJa76OtdDjqWAlqkNvVZB\n-----END CERTIFICATE-----\n```\n\nView the decoded certificate:\n\n```\nopenssl x509 -in vcenter-ca-cert.pem -text -noout\n```\n\nThe output shows the decoded certificate For example:\n\n```\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number:\n f5:b5:6a:46:2b:4b:92:fa\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = uphc-vc01.anthos, OU = VMware Engineering\n Validity\n ...\n Subject: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = uphc-vc01.anthos, OU = VMware Engineering\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n RSA Public-Key: (2048 bit)\n Modulus:\n 00:e0:39:28:9d:c1:f5:ac:69:04:3f:b0:a0:31:9e:\n 89:0b:6e:f7:1e:2b:3b:94:ac:1c:47:f0:52:2e:fa:\n 6d:52:2c:de:66:3e:4e:40:6a:58:c7:cc:99:46:81:\n ...\n 5c:d6:a9:ab:a9:87:26:0f:d2:ef:9e:a1:61:3d:38:\n 18:bf\n Exponent: 65537 (0x10001)\n X509v3 extensions:\n ...\n Signature Algorithm: sha256WithRSAEncryption\n 58:24:57:36:a4:66:fa:16:e1:82:b1:ee:a7:1a:77:db:77:6c:\n 0a:b7:2e:7a:11:ca:0b:38:21:d2:d2:ab:3c:30:82:3f:ae:22:\n ...\n ad:26:5c:57:bb:83:e4:25:ae:fa:3a:d7:43:8e:a5:80:96:a9:\n 0d:bd:56:41\n```\n\nCopy your certificate file to a location of your choice.\n\nThen when you need to provide a value for `caCertPath` in a configuration file,\nenter the path of your certificate file.\n\nFor example, in your admin workstation configuration file:\n\n```\ngcp:\n ...\nvCenter:\n ...\n caCertPath: \"/path/to/vcenter-ca-cert.pem\"\n```"]]
