SSL/TLS certificate validation in VMware connections
Expired certificate on an existing VMware connection
If an existing VMware connection’s certificate expires, the system raises a Connection Failure Alarm with the message: Cannot connect to VMware server 'Vmware Name' : Spotlight has detected expired SSL certificate.
In this scenario, Spotlight Enterprise does not provide an option to establish a new VMware connection for monitoring purposes.
Previously expired certificate turns valid on an existing VMware connection
If a certificate that was previously expired becomes valid, users must remove the existing VMware connection and then re-add the same connection in Spotlight to resume monitoring.
-
Renewing the certificate alone does not automatically restart monitoring.
-
To reset the connection failure alarm, the user must remove and re-add the connection after the certificate is renewed.
Expired certificate on a newly added VMware connection
Users cannot add a new VMware connection with an expired certificate.
Invalid certificate on a newly added VMware connection
- When a new VMware connection is added with an invalid certificate, a popup is displayed with the message:
Spotlight has detected invalid SSL certificate. View Certificate file.I understand the risk and want to connect anyway. Learn more. - If the customer selects Yes, the connection is added.
- If the customer selects Cancel, they are redirected back to the Connection Manager screen.
Previously valid certificate turns invalid on an existing VMware connection
If an existing VMware connection with a previously valid certificate becomes invalid, the system raises an alarm with the message: Monitored Server - Invalid SSL certificates for is detected. Validate certificate for
In this scenario, the connection is disconnected, monitoring stops, and the existing connection can no longer be used.
Previously invalid certificate turns valid on an existing VMware connection
If a certificate that was previously marked as invalid becomes valid, the Spotlight Enterprise application automatically detects the status change. As a result:
- New alarms for the invalid certificate will no longer be raised.
- Any existing alarms related to the invalid certificate are automatically cleared.
SSL certificate validation issues
To verify the validity of an SSL certificate, check for SSL certificate errors. If the error count is 0 or no errors are found, the certificate is considered valid. There are three types of SslPolicyErrors:
| Name | Value | Description |
|---|---|---|
| None | 0 | No SSL policy errors. |
| RemoteCertificateNotAvailable | 1 | The certificate is not available. |
| RemoteCertificateNameMismatch | 2 | The certificate name does not match the hostname. |
| RemoteCertificateChainErrors | 4 | The certificate chain contains errors. |
Common scenario: IP address usage in VMware connection
If a user connects to a VMware server using an IP address instead of a hostname, a certificate warning may appear—even if the connection is valid.
This typically results in a RemoteCertificateNameMismatch error. It occurs when the Common Name (CN) or Subject Alternative Name (SAN) in the certificate does not match the IP address used in the connection.
UI message displayed:
Spotlight has detected invalid or expired SSL certificate. Learn More
Clicking Learn More will open a knowledge base (KB) article with further details.
Recommendations
- To avoid this error, connect using the hostname that matches the CN or SAN in the certificate.
- If SSL errors are detected, a message will be shown in the UI to inform the user about the invalid certificate.
How to view the certificate CN (Common Name)
- Navigate to the ESXi host or vCenter Server.
- Go to Host or vCenter Settings.
- Select Configuration | Software.
- Locate and open Certificate or SSL Certificate.
- View the certificate details to find the Common Name (CN).
Remote certificate chain error in VMware connection
For RemoteCertificateChainErrors, please refer to the Microsoft documentation on RemoteCertificateChainErrors for possible causes.